1. CVE-Search
  2. CVE-2008-3068
ID CVE-2008-3068
Summary Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:access:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:access:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:frontpage:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:frontpage:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:groove:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:groove:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:infopath:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:infopath:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:infopath:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:infopath:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_communicator:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office_communicator:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:onenote:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:onenote:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:powerpoint:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:powerpoint:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:powerpoint:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:powerpoint:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project_professional:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project_professional:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project_standard:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project_standard:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:publisher:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:publisher:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:publisher:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:publisher:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sharepoint_designer:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sharepoint_designer:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visio_professional:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visio_professional:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visio_standard:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visio_standard:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:windows_live_mail:2008:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:windows_live_mail:2008:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-10-2018 - 20:45)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bid 28548
bugtraq
  • 20080703 Unauthorized reading confirmation from Outlook
  • 20080709 Re: Unauthorized reading confirmation from Outlook
misc
sectrack
  • 1019736
  • 1019737
  • 1019738
sreason 3978
Last major update 11-10-2018 - 20:45
Published 07-07-2008 - 23:41
Last modified 11-10-2018 - 20:45
Back to Top