Vulnerability Name:
CVE-2019-1172 (CCN-164566)
Assigned:
2018-11-26
Published:
2019-08-13
Updated:
2019-08-21
Summary:
An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session, aka 'Windows Information Disclosure Vulnerability'.
CVSS v3 Severity:
4.3 Medium
(CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
)
3.8 Low
(Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
None
Availibility (A):
None
4.3 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
)
3.8 Low
(CCN Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
None
Availibility (A):
None
CVSS v2 Severity:
4.3 Medium
(CVSS v2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Medium
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
None
Availibility (A):
None
4.0 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
Single_Instance
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
None
Availibility (A):
None
Vulnerability Type:
CWE-200
Vulnerability Consequences:
Obtain Information
References:
Source: MITRE
Type: CNA
CVE-2019-1172
Source: XF
Type: UNKNOWN
ms-windows-cve20191172-info-disc(164566)
Source: CCN
Type: Microsoft Security TechCenter - August 2019
Windows Information Disclosure Vulnerability
Source: MISC
Type: Patch, Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1172
Vulnerable Configuration:
Configuration 1
:
cpe:/o:microsoft:windows_10:-:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1607:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1703:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1709:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1803:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1809:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:1903:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
Configuration CCN 1
:
cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*
OR
cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:x64:*
OR
cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:-:*:*:*:*:*:x32:*
OR
cpe:/o:microsoft:windows_10:*:*:*:*:*:*:x64:*
OR
cpe:/o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server:1803:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
OR
cpe:/o:microsoft:windows_10:-:*:*:*:*:*:arm64:*
OR
cpe:/o:microsoft:windows_server:1903:*:*:*:*:*:*:*
Denotes that component is vulnerable
BACK
microsoft
windows 10 -
microsoft
windows 10 1607
microsoft
windows 10 1703
microsoft
windows 10 1709
microsoft
windows 10 1803
microsoft
windows 10 1809
microsoft
windows 10 1903
microsoft
windows 8.1 -
microsoft
windows rt 8.1 -
microsoft
windows server 2012 -
microsoft
windows server 2012 r2
microsoft
windows server 2016 -
microsoft
windows server 2016 1803
microsoft
windows server 2016 1903
microsoft
windows server 2019 -
microsoft
windows 8.1 - -
microsoft
windows 8.1 *
microsoft
windows server 2012 r2
microsoft
windows rt 8.1 *
microsoft
windows 10 -
microsoft
windows 10 *
microsoft
windows server 2016
microsoft
windows server 1803
microsoft
windows server 2019
microsoft
windows 10 -
microsoft
windows server 1903