1. CVE-Search
  2. CVE-2017-8557
ID CVE-2017-8557
Summary Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability".
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 26-03-2019 - 17:57)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid
  • 99387
  • 99398
confirm https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8557
sectrack 1038855
Last major update 26-03-2019 - 17:57
Published 11-07-2017 - 21:29
Last modified 26-03-2019 - 17:57
Back to Top