Vulnerability Name: CVE-2018-0919 (CCN-139683) Assigned: 2017-12-01 Published: 2018-03-13 Updated: 2020-08-24 Summary: Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 Click-to-Run Microsoft Office 2016 for Mac, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps 2013 SP1, Microsoft SharePoint Enterprise Server 2013 SP1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2010 SP2, Microsoft Word 2010 SP2, Word 2013 SP1 and Microsoft Word 2016 allow an information disclosure vulnerability due to how variables are initialized, aka "Microsoft Office Information Disclosure Vulnerability". CVSS v3 Severity: 3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N )2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N )4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N )Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-908 CWE-125 Vulnerability Consequences: Obtain Information References: Source: MITRE Type: CNACVE-2018-0919 Source: BID Type: Third Party Advisory, VDB Entry103311 Source: CCN Type: BID-103311Microsoft Office CVE-2018-0919 Information Disclosure Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry1040526 Source: XF Type: UNKNOWNms-office-cve20180919-info-disc(139683) Source: CCN Type: Microsoft Security TechCenter - March 2018Microsoft Office Information Disclosure Vulnerability Source: CONFIRM Type: Patch, Vendor Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0919 Vulnerable Configuration: Configuration 1 :cpe:/a:microsoft:office:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:office:2016:*:*:*:*:mac_os_x:*:* OR cpe:/a:microsoft:office:2016:*:*:*:click-to-run:*:*:* OR cpe:/a:microsoft:office_online_server:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:office_web_apps:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:office_web_apps_server:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_enterprise_server:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_server:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:word:2016:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:microsoft:sharepoint_server:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:office:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:office:2010:sp2:x32:*:*:*:*:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:office_web_apps:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x64:* OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:word:2016:*:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2016:*:*:*:*:*:x64:* OR cpe:/a:microsoft:office:2016:*:*:*:*:mac:*:* OR cpe:/a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:office_online_server:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:sharepoint_enterprise_server:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:office:2016:*:*:*:click-to-run:*:x32:* OR cpe:/a:microsoft:office:2016:*:*:*:click-to-run:*:x64:* Denotes that component is vulnerable BACK
microsoft office 2010 sp2
microsoft office 2016
microsoft office 2016
microsoft office online server 2016
microsoft office web apps 2010 sp2
microsoft office web apps server 2013 sp1
microsoft sharepoint enterprise server 2013 sp1
microsoft sharepoint enterprise server 2016
microsoft sharepoint server 2010 sp2
microsoft word 2010 sp2
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2016
microsoft sharepoint server 2010 sp2
microsoft office 2010 sp2
microsoft office 2010 sp2
microsoft word 2010 sp2
microsoft word 2010 sp2
microsoft office web apps 2010 sp2
microsoft office web apps 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2016
microsoft word 2016
microsoft office 2016
microsoft sharepoint enterprise server 2016
microsoft office online server 2016
microsoft sharepoint enterprise server 2013 sp1
microsoft office 2016
microsoft office 2016