Vulnerability Name: CVE-2017-8631 (CCN-129353) Assigned: 2017-09-12 Published: 2017-09-12 Updated: 2021-09-13 Summary: A remote code execution vulnerability exists in Excel Services, Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack 2, Microsoft Excel 2013 Service Pack 1, Microsoft Excel 2013 RT Service Pack 1, Microsoft Excel 2016, Microsoft Office Web Apps 2013, Microsoft Office Compatibility Pack Service Pack 3, Microsoft Excel Web App 2013 Service Pack 1, Microsoft Excel Viewer 2007 Service Pack 3, and Office Online Server when they fail to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8630 , CVE-2017-8632 , and CVE-2017-8744 . CVSS v3 Severity: 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H )6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H )6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C )Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Gain Access References: Source: MITRE Type: CNACVE-2017-8631 Source: BID Type: Third Party Advisory, VDB Entry100751 Source: CCN Type: BID-100751Microsoft Office CVE-2017-8631 Memory Corruption Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry1039315 Source: XF Type: UNKNOWNms-office-cve20178631-code-exec(129353) Source: CCN Type: Microsoft Security TechCenter - September 2017Microsoft Office Memory Corruption Vulnerability Source: CONFIRM Type: Patch, Vendor Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8631 Source: CCN Type: ZDI-17-727Microsoft Office Excel xlsb File Heap-based Buffer Overflow Remote Code Execution Vulnerability Vulnerable Configuration: Configuration 1 :cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:excel_2007:-:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:excel_2010:*:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:excel_2013_rt:-:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:excel_viewer:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:excel_web_app:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:office_online_server:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:office_web_apps:2013:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:microsoft:excel_viewer:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:office_compatibility_pack:*:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x32:* OR cpe:/a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x32:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x64:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:excel_web_app_2013:-:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2011:*:*:*:*:mac:*:* OR cpe:/a:microsoft:excel:2016:*:*:*:*:mac:*:* OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:x32:* OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:x64:* OR cpe:/a:microsoft:office_online_server:*:*:*:*:*:*:*:* OR cpe:/a:microsoft:excel_services:-:*:*:*:*:*:*:* AND cpe:/a:microsoft:sharepoint_server:2010:sp1:*:*:*:*:*:* Denotes that component is vulnerable BACK
microsoft excel 2013 sp1
microsoft excel 2016
microsoft excel 2007 - sp3
microsoft excel 2010 * sp2
microsoft excel 2013 rt - sp1
microsoft excel viewer 2007 sp3
microsoft excel web app 2013 sp1
microsoft office compatibility pack - sp3
microsoft office online server *
microsoft office web apps 2013
microsoft excel viewer *
microsoft excel 2007 sp3
microsoft office compatibility pack * sp3
microsoft excel 2010 sp2
microsoft excel 2010 sp2
microsoft office web apps 2013 sp1
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft excel web app 2013 - sp1
microsoft excel 2011
microsoft excel 2016
microsoft excel 2016
microsoft excel 2016
microsoft office online server *
microsoft excel services -
microsoft sharepoint server 2010 sp1