Vulnerability Name:

CVE-2002-1338 (CCN-8784)

Assigned:2002-04-08
Published:2002-04-08
Updated:2017-07-11
Summary:The Load method in the Chart component of Office Web Components (OWC) 9 and 10 generates an exception when a specified file does not exist, which allows remote attackers to determine the existence of local files.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Internet Security Systems Security Alert, August 22, 2002
Multiple Vulnerabilities in Microsoft Office Web Components

Source: MITRE
Type: CNA
CVE-2002-1338

Source: BUGTRAQ
Type: UNKNOWN
20020408 Multiple local files detection issues with OWC in IE (GM#008-IE)

Source: CCN
Type: Microsoft Office Download Center
Office XP Tool: Web Components

Source: CCN
Type: GreyMagic Security Advisory GM#008-IE
Multiple local files detection issues with OWC in IE

Source: MISC
Type: Exploit, Patch, Vendor Advisory
http://security.greymagic.com/adv/gm008-ie/

Source: CCN
Type: US-CERT VU#156123
Microsoft Office Web Components allows arbitary user to determine whether local file exists via Chart component Load method

Source: CERT-VN
Type: US Government Resource
VU#156123

Source: CCN
Type: Microsoft Security Bulletin MS02-044
Unsafe Functions in Office Web Components (Q328130)

Source: CCN
Type: OSVDB ID: 3009
Microsoft IE OWC Load File Existence Verification

Source: BID
Type: UNKNOWN
4454

Source: CCN
Type: BID-4454
Microsoft Office Web Components Chart Local File Existence Disclosure Vulnerability

Source: XF
Type: UNKNOWN
owc-chart-load-exist(8784)

Source: XF
Type: UNKNOWN
owc-chart-load-exist(8784)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:office_web_components:2002:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:office_web_components:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_web_components:2002:*:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:proxy_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:isa_server:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:commerce_server:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:xp:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:commerce_server:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:backoffice:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:biztalk_server:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:biztalk_server:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:money:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:money:2003:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:small_business_server:2000:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft office web components 2002
    microsoft office web components 2000
    microsoft office web components 2002
    microsoft proxy server 2.0
    microsoft office 2000
    microsoft isa server 2000
    microsoft commerce server 2000
    microsoft office xp
    microsoft commerce server 2002
    microsoft backoffice 2000
    microsoft biztalk server 2000
    microsoft biztalk server 2002
    microsoft money 2002
    microsoft money 2003
    microsoft project 2002
    microsoft small business server 2000