Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

1 vulnerability found for Visual C++ Redistributable Installer by Microsoft Corporation

jvndb-2018-000051

Vulnerability from jvndb

Published

2018-05-17 14:57

Modified

2019-07-05 16:41

Severity ?

7.8 (High) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries

Details

The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN81196185/index.html
	JVN	https://jvn.jp/en/ta/JVNTA91240916/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0599
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-0599
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Microsoft Corporation

Visual C++ Redistributable Installer

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000051.html",
  "dc:date": "2019-07-05T16:41+09:00",
  "dcterms:issued": "2018-05-17T14:57+09:00",
  "dcterms:modified": "2019-07-05T16:41+09:00",
  "description": "The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer (CWE-427).\r\nMicrosoft states that the root cause of this vulnerability is \"Application Directory (App Dir) DLL planting\" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue.\r\n\r\nFor details, refer to \"Application Directory (App Dir) DLL planting\" released by Microsoft.",
  "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000051.html",
  "sec:cpe": {
    "#text": "cpe:/a:microsoft:visual_c%2B%2B_redistributable_installer",
    "@product": "Visual C++ Redistributable Installer",
    "@vendor": "Microsoft Corporation",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "6.8",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2018-000051",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN81196185/index.html",
      "@id": "JVN#81196185",
      "@source": "JVN"
    },
    {
      "#text": "https://jvn.jp/en/ta/JVNTA91240916/index.html",
      "@id": "JVNTA#91240916",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0599",
      "@id": "CVE-2018-0599",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0599",
      "@id": "CVE-2018-0599",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries"
}