cnvd - cnvd-2021-08823

cnvd-2021-08823

Vulnerability from cnvd

Title

Microsoft Word远程代码执行漏洞（CNVD-2021-08823）

Description

Microsoft Word是美国微软（Microsoft）公司的一套Office套件中的文字处理软件。 Microsoft Word存在远程代码执行漏洞。该漏洞源于程序未对内存中的对象进行正确处理。攻击者可借助特制文件利用该漏洞在当前用户的上下文中执行操作并执行与当前用户相同权限的操作。

Severity

中

Patch Name

Microsoft Word远程代码执行漏洞（CNVD-2021-08823）的补丁

Patch Description

Microsoft Word是美国微软（Microsoft）公司的一套Office套件中的文字处理软件。 Microsoft Word存在远程代码执行漏洞。该漏洞源于程序未对内存中的对象进行正确处理。攻击者可借助特制文件利用该漏洞在当前用户的上下文中执行操作并执行与当前用户相同权限的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-1338

Impacted products

Name
['Microsoft Office 2016', 'Microsoft Office Online Server', 'Microsoft Office 2019', 'Microsoft SharePoint Server 2019', 'Microsoft 365 Apps']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-1338",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-1338"
    }
  },
  "description": "Microsoft Word\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957Office\u5957\u4ef6\u4e2d\u7684\u6587\u5b57\u5904\u7406\u8f6f\u4ef6\u3002\n\nMicrosoft Word\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u5185\u5b58\u4e2d\u7684\u5bf9\u8c61\u8fdb\u884c\u6b63\u786e\u5904\u7406\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u64cd\u4f5c\u5e76\u6267\u884c\u4e0e\u5f53\u524d\u7528\u6237\u76f8\u540c\u6743\u9650\u7684\u64cd\u4f5c\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-08823",
  "openTime": "2021-02-02",
  "patchDescription": "Microsoft Word\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957Office\u5957\u4ef6\u4e2d\u7684\u6587\u5b57\u5904\u7406\u8f6f\u4ef6\u3002\r\n\r\nMicrosoft Word\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u5185\u5b58\u4e2d\u7684\u5bf9\u8c61\u8fdb\u884c\u6b63\u786e\u5904\u7406\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u64cd\u4f5c\u5e76\u6267\u884c\u4e0e\u5f53\u524d\u7528\u6237\u76f8\u540c\u6743\u9650\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Word\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2021-08823\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Office 2016",
      "Microsoft Office Online Server",
      "Microsoft Office 2019",
      "Microsoft SharePoint Server 2019",
      "Microsoft 365 Apps"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-1338",
  "serverity": "\u4e2d",
  "submitTime": "2020-10-26",
  "title": "Microsoft Word\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2021-08823\uff09"
}

CVE-2020-1338 (GCVE-0-2020-1338)

Vulnerability from cvelistv5

Published

2020-09-11 17:09

Modified

2024-08-04 06:32

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CWE

Remote Code Execution

Summary

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.

References

URL

Tags

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338

x_refsource_MISC

Impacted products

Vendor

Product

Version

Microsoft

Microsoft SharePoint Server 2019

Version: 16.0.0 < publication
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases cpe:2.3:a:microsoft:office:2019:::::::*
Microsoft	Microsoft Office 2019 for Mac	Version: 16.0.0 < publication cpe:2.3:a:microsoft:office:2019:::::macos::
Microsoft	Microsoft Office Online Server	Version: 16.0.1 < publication cpe:2.3:a:microsoft:office_online_server:-:::::::*
Microsoft	Microsoft 365 Apps for Enterprise	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases cpe:2.3:a:microsoft:365_apps:-::::enterprise:::
Microsoft	Microsoft Office 2016 for Mac	Version: 16.0.0 < publication cpe:2.3:a:microsoft:office:2016:::::mac_os::

Show details on NVD website