Vulnerability Name: CVE-2008-4033 (CCN-45555) Assigned: 2008-11-11 Published: 2008-11-11 Updated: 2018-10-12 Summary: Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability." CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N 3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N 3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-200 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2008-4033 SSRT080164 IBM Security AppScan Enterprise Multiple Vulnerabilities IBM Rational Policy Tester Multiple Vulnerabilities Microsoft XML Core Services (MSXML) Bugs Let Remote Users Obtain Information and Execute Arbitrary Code 1021164 MS08-069 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) Nortel Response to Microsoft Security Bulletin MS08-069 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145) Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) Vulnerability in XML Core Services Could Allow Remote Code Execution Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) Security Update for Microsoft XML Core Service (3148541) Security Update for Microsoft XML Core Services (4010321) Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) Multiple vulnerabilities in IBM Rational Policy Tester (CVE-2013-0532, CVE-2013-0512, CVE-2012-4431, CVE-2013-0513, CVE-2008-4033, CVE-2013-0474, CVE-2013-0473, CVE-2012-5081) Multiple vulnerabilities in IBM Security AppScan Enterprise (CVE-2013-0532, CVE-2013-0510, CVE-2013-0512, CVE-2012-4431, CVE-2013-0513, CVE-2008-4033, CVE-2013-0474, CVE-2013-0511, CVE-2013-0473, CVE-2012-5081) Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403) 32204 Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability TA08-316A ADV-2008-3111 MS08-069 msxml-headers-info-disclosure(45555) oval:org.mitre.oval:def:5847 Vulnerable Configuration: Configuration 1 :cpe:/a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:* AND cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* Configuration 2 :cpe:/a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:* AND cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* Configuration 3 :cpe:/a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:* AND cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* Configuration 4 :cpe:/a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:* AND cpe:/a:microsoft:expression_web:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:expression_web:2:*:*:*:*:*:*:* OR cpe:/a:microsoft:groove:2007:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:2003:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:office:2007:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:office_compatibility_pack:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:office_compatibility_pack:*:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:office_word_viewer:2003:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_server:2007:*:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_server:2007:sp1:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:* AND cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows:2003_server:*:x64:*:*:*:*:* OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:* OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:* OR cpe:/a:microsoft:office_compatibility_pack:2007:*:*:*:*:*:*:* OR cpe:/a:microsoft:groove_server:2007:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:2007:*:*:*:*:*:*:* OR cpe:/a:microsoft:expression_web:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:2003:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:x64:* OR cpe:/a:microsoft:office_word_viewer:2003:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:office:2007:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_server:2007:sp1:x64:*:*:*:*:* OR cpe:/a:microsoft:expression_web:2:*:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_server:2007:sp1:x32:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:* OR cpe:/a:ibm:rational_policy_tester:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_appscan:5.2:*:enterprise:*:*:*:*:* OR cpe:/a:ibm:rational_appscan:8.0.0:*:enterprise:*:*:*:*:* OR cpe:/a:ibm:rational_appscan:8.5.0:*:enterprise:*:*:*:*:* Oval Definitions BACK
microsoft xml core services 4.0
microsoft windows 2000 * sp4
microsoft windows 2003 server * sp1
microsoft windows 2003 server * sp2
microsoft windows 7 *
microsoft windows 7 * sp1
microsoft windows server 2008 * sp2
microsoft windows server 2008 -
microsoft windows server 2008 r2
microsoft windows server 2008 r2 sp1
microsoft windows vista * sp1
microsoft windows vista * sp2
microsoft windows xp * sp2
microsoft windows xp * sp3
microsoft xml core services 3.0
microsoft windows 2000 * sp4
microsoft windows 2003 server * sp1
microsoft windows 2003 server * sp2
microsoft windows server 2008 -
microsoft windows vista * sp1
microsoft windows xp * sp2
microsoft windows xp * sp3
microsoft xml core services 6.0
microsoft windows 2000 * sp4
microsoft windows 2003 server * sp1
microsoft windows 2003 server * sp2
microsoft windows server 2008 -
microsoft windows vista * sp1
microsoft windows xp * sp2
microsoft windows xp * sp3
microsoft xml core services 5.0
microsoft expression web *
microsoft expression web 2
microsoft groove 2007
microsoft office 2003 sp3
microsoft office 2007 sp1
microsoft office compatibility pack *
microsoft office compatibility pack * sp1
microsoft office word viewer 2003 sp3
microsoft sharepoint server 2007
microsoft sharepoint server 2007 sp1
microsoft xml core services 3.0
microsoft xml core services 4.0
microsoft xml core services 6.0
microsoft xml core services 5.0
microsoft windows server 2008 -
microsoft windows 2000 * sp4
microsoft windows 2003_server
microsoft windows xp sp2
microsoft windows 2003_server sp1
microsoft windows 2003_server sp1_itanium
microsoft windows vista *
microsoft windows server_2003 sp2
microsoft windows server_2003 sp2
microsoft windows server_2003 sp2
microsoft windows vista *
microsoft windows xp sp2
microsoft office compatibility pack 2007
microsoft groove server 2007
microsoft office 2007
microsoft expression web *
microsoft office 2003 sp3
microsoft windows vista * sp1
microsoft windows vista * sp1
microsoft office word viewer 2003 sp3
microsoft office 2007 sp1
microsoft sharepoint server 2007 sp1
microsoft expression web 2
microsoft sharepoint server 2007 sp1
microsoft windows server 2008
microsoft windows server 2008 -
microsoft windows xp sp3
ibm rational policy tester 8.0.0.0
ibm rational appscan 5.2
ibm rational appscan 8.0.0
ibm rational appscan 8.5.0
Denotes that component is vulnerable