Vulnerability Name:

CVE-2008-0083 (CCN-40056)

Assigned:2008-04-08
Published:2008-04-08
Updated:2018-10-12
Summary:The (1) VBScript (VBScript.dll) and (2) JScript (JScript.dll) scripting engines 5.1 and 5.6, as used in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2, do not properly decode script, which allows remote attackers to execute arbitrary code via unknown vectors.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-0083

Source: HP
Type: UNKNOWN
SSRT080048

Source: CCN
Type: SA29712
Microsoft VBScript/JScript Script Decoding Buffer Overflow

Source: SECUNIA
Type: Vendor Advisory
29712

Source: CCN
Type: SECTRACK ID: 1019799
Windows VBScript and JScript Scripting Engine Bug Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: ASA-2008-158
MS08-022 Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

Source: CCN
Type: NORTEL BULLETIN ID: 2008008771, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-022

Source: CCN
Type: NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin

Source: CCN
Type: Microsoft Security Bulletin MS08-022
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

Source: BID
Type: Patch
28551

Source: CCN
Type: BID-28551
Microsoft VBScript and JScript Scripting Engines Remote Code Execution Vulnerability

Source: SECTRACK
Type: UNKNOWN
1019799

Source: CERT
Type: US Government Resource
TA08-099A

Source: VUPEN
Type: Vendor Advisory
ADV-2008-1146

Source: MS
Type: UNKNOWN
MS08-022

Source: XF
Type: UNKNOWN
win-vbscript-jscript-code-execution(40056)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:5495

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp1:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:microsoft:jscript:5.6:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:vbscript:5.6:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:5495
    V
    VBScript and JScript Remote Code Execution Vulnerability
    2008-05-19
    BACK
    microsoft windows 2000 * sp4
    microsoft windows 2003 server *
    microsoft windows 2003 server * sp1
    microsoft windows 2003 server * sp1
    microsoft windows 2003 server * sp2
    microsoft windows 2003 server * sp2
    microsoft windows 2003 server * sp2
    microsoft windows xp *
    microsoft windows xp * sp2
    microsoft windows xp * sp2
    microsoft jscript 5.6
    microsoft vbscript 5.6
    microsoft windows 2000 - sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows xp sp2