cnvd - cnvd-2019-40535

cnvd-2019-40535

Vulnerability from cnvd

Title: Microsoft Outlook权限提升漏洞（CNVD-2019-40535）

Description:

Microsoft Outlook是一款个人信息管理系统软件，功能包括收发电子邮件、日历等等。

Microsoft Outlook中存在权限提升漏洞，该漏洞源于在程序处理进入的邮件时未能充分验证邮件格式，攻击者可通过向用户发送特制的邮件利用该漏洞强制Outlook加载本地或远程消息存储。

Severity: 中

Patch Name: Microsoft Outlook权限提升漏洞（CNVD-2019-40535）的补丁

Patch Description:

Microsoft Outlook是一款个人信息管理系统软件，功能包括收发电子邮件、日历等等。

Microsoft Outlook中存在权限提升漏洞，该漏洞源于在程序处理进入的邮件时未能充分验证邮件格式，攻击者可通过向用户发送特制的邮件利用该漏洞强制Outlook加载本地或远程消息存储。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204

Reference: https://vigilance.fr/vulnerability/Microsoft-Office-vulnerabilities-of-August-2019-30035

Impacted products

Name
['Microsoft Outlook 2010 SP2', 'Microsoft Outlook 2013 SP1', 'Microsoft Outlook 2013 RT SP1', 'Microsoft outlook 2016', 'Microsoft Office 2019', 'Microsoft Office 365 ProPlus']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1204",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-1204"
    }
  },
  "description": "Microsoft Outlook\u662f\u4e00\u6b3e\u4e2a\u4eba\u4fe1\u606f\u7ba1\u7406\u7cfb\u7edf\u8f6f\u4ef6\uff0c\u529f\u80fd\u5305\u62ec\u6536\u53d1\u7535\u5b50\u90ae\u4ef6\u3001\u65e5\u5386\u7b49\u7b49\u3002\n\nMicrosoft Outlook\u4e2d\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u7a0b\u5e8f\u5904\u7406\u8fdb\u5165\u7684\u90ae\u4ef6\u65f6\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u90ae\u4ef6\u683c\u5f0f\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u7528\u6237\u53d1\u9001\u7279\u5236\u7684\u90ae\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5f3a\u5236Outlook\u52a0\u8f7d\u672c\u5730\u6216\u8fdc\u7a0b\u6d88\u606f\u5b58\u50a8\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-40535",
  "openTime": "2019-11-14",
  "patchDescription": "Microsoft Outlook\u662f\u4e00\u6b3e\u4e2a\u4eba\u4fe1\u606f\u7ba1\u7406\u7cfb\u7edf\u8f6f\u4ef6\uff0c\u529f\u80fd\u5305\u62ec\u6536\u53d1\u7535\u5b50\u90ae\u4ef6\u3001\u65e5\u5386\u7b49\u7b49\u3002\r\n\r\nMicrosoft Outlook\u4e2d\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u7a0b\u5e8f\u5904\u7406\u8fdb\u5165\u7684\u90ae\u4ef6\u65f6\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u90ae\u4ef6\u683c\u5f0f\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u7528\u6237\u53d1\u9001\u7279\u5236\u7684\u90ae\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5f3a\u5236Outlook\u52a0\u8f7d\u672c\u5730\u6216\u8fdc\u7a0b\u6d88\u606f\u5b58\u50a8\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Outlook\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2019-40535\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Outlook 2010  SP2",
      "Microsoft Outlook 2013 SP1",
      "Microsoft Outlook 2013 RT SP1",
      "Microsoft outlook 2016",
      "Microsoft Office 2019",
      "Microsoft Office 365 ProPlus"
    ]
  },
  "referenceLink": "https://vigilance.fr/vulnerability/Microsoft-Office-vulnerabilities-of-August-2019-30035",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-21",
  "title": "Microsoft Outlook\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2019-40535\uff09"
}

CVE-2019-1204 (GCVE-0-2019-1204)

Vulnerability from cvelistv5

Published

2019-08-14 20:55

Modified

2024-08-04 18:13

Severity ?

CWE

Elevation of Privilege

Summary

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email. This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.

References

▼	URL	Tags
	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Microsoft

Microsoft Office 2019

Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*

Microsoft	Office 365 ProPlus	Version: 16.0.0 < publication cpe:2.3:a:microsoft:office_365_proplus:-:::::::*
Microsoft	Microsoft Outlook 2016	Version: 16.0.0.0 < publication cpe:2.3:a:microsoft:outlook:2016:::::x86:: cpe:2.3:a:microsoft:outlook:2016:::::x64::
Microsoft	Microsoft Outlook 2013 Service Pack 1	Version: 15.0.0.0 < publication cpe:2.3:a:microsoft:outlook:2013:::::x86:: cpe:2.3:a:microsoft:outlook:2013::::::x64: cpe:2.3:a:microsoft:outlook:2013::::rt:::
Microsoft	Microsoft Outlook 2010 Service Pack 2	Version: 13.0.0.0 < publication cpe:2.3:a:microsoft:outlook:2010:sp2::::::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:13:29.173Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:office_365_proplus:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Office 365 ProPlus",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:x86:*:*",
            "cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:x64:*:*"
          ],
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Outlook 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "16.0.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:outlook:2013:*:*:*:*:x86:*:*",
            "cpe:2.3:a:microsoft:outlook:2013:*:*:*:*:*:x64:*",
            "cpe:2.3:a:microsoft:outlook:2013:*:*:*:rt:*:*:*"
          ],
          "platforms": [
            "32-bit Systems",
            "x64-based Systems",
            "ARM64-based Systems"
          ],
          "product": "Microsoft Outlook 2013 Service Pack 1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "15.0.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:outlook:2010:sp2:*:*:*:*:*:*"
          ],
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Outlook 2010 Service Pack 2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "13.0.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-08-13T07:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).\nTo exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.\nThis update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.\n"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T16:51:04.255Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204"
        }
      ],
      "title": "Microsoft Outlook Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2019-1204",
    "datePublished": "2019-08-14T20:55:05",
    "dateReserved": "2018-11-26T00:00:00",
    "dateUpdated": "2024-08-04T18:13:29.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted