All the vulnerabilites related to Microsoft Corporation - IExpress
jvndb-2018-000050
Vulnerability from jvndb
Published
2018-05-17 14:57
Modified
2018-08-21 16:40
Severity ?
7.8 (High) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Self-Extracting Archive files created by IExpress may insecurely load Dynamic Link Libraries
Details
Self-extracting archive files created by IExpress provided Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft. Eili Masami reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
JVN https://jvn.jp/en/jp/JVN72748502/index.html
JVN https://jvn.jp/en/ta/JVNTA91240916/
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0598
NVD https://nvd.nist.gov/vuln/detail/CVE-2018-0598
No Mapping(CWE-Other) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Microsoft CorporationIExpress
Microsoft CorporationMicrosoft Windows
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000050.html",
  "dc:date": "2018-08-21T16:40+09:00",
  "dcterms:issued": "2018-05-17T14:57+09:00",
  "dcterms:modified": "2018-08-21T16:40+09:00",
  "description": "Self-extracting archive files created by IExpress provided Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).\r\n Microsoft states that the root cause of this vulnerability is \"Application Directory (App Dir) DLL planting\" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue.\r\n\r\n For details, refer to \"Application Directory (App Dir) DLL planting\" released by Microsoft.\r\n\r\nEili Masami reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000050.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:microsoft:iexpress",
      "@product": "IExpress",
      "@vendor": "Microsoft Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:microsoft:windows",
      "@product": "Microsoft Windows",
      "@vendor": "Microsoft Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "6.8",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2018-000050",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN72748502/index.html",
      "@id": "JVN#72748502",
      "@source": "JVN"
    },
    {
      "#text": "https://jvn.jp/en/ta/JVNTA91240916/",
      "@id": "JVNTA#91240916",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0598",
      "@id": "CVE-2018-0598",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0598",
      "@id": "CVE-2018-0598",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Self-Extracting Archive files created by IExpress may insecurely load Dynamic Link Libraries"
}