CERTA-2011-AVI-357

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité dans l'éditeur XML de Microsoft permet à un utilisateur distant de porter atteinte à la confidentialité de certaines données.

Description

Une vulnérabilité est présente dans l'éditeur de fichiers XML de Microsoft inclus dans de nombreux logiciels comme SQL Server ou Visual Studio. Elle permet à un utilisateur distant malintentionné de porter atteinte à la confidentialité de certaines données au moyen d'un fichier Web Service Discovery (.disco) construit de façon particulière.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Microsoft N/A Microsoft SQL Server Management Studio Express (SSMSE) 2005 ;
Microsoft N/A Microsoft SQL Server 2005 Édition x64 Service Pack 4 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes x64 Service Pack 2 ;
Microsoft N/A Microsoft SQL Server 2008 R2 pour systèmes Itanium ;
Microsoft N/A Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 3 ;
Microsoft N/A Microsoft InfoPath 2007 Service Pack 2 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes Itanium Service Pack 1 ;
Microsoft N/A Microsoft SQL Server 2005 Express Edition Service Pack 4 ;
Microsoft N/A Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4 ;
Microsoft N/A Microsoft SQL Server 2008 R2 pour systèmes 32 bits ;
Microsoft N/A Microsoft SQL Server 2005 Édition x64 Service Pack 3 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes 32 bits Service Pack 2 ;
Microsoft N/A Microsoft InfoPath 2010 (éditions 32 bits) ;
Microsoft N/A Microsoft Visual Studio 2010.
Microsoft N/A Microsoft SQL Server 2005 Service Pack 4 ;
Microsoft N/A Microsoft InfoPath 2010 (éditions 64 bits) ;
Microsoft N/A Microsoft SQL Server 2005 Service Pack 3 pour systèmes Itanium ;
Microsoft N/A Microsoft SQL Server 2005 Service Pack 3 ;
Microsoft N/A Microsoft SQL Server 2005 Express Edition Service Pack 3 ;
Microsoft N/A Microsoft SQL Server 2005 pour systèmes Itanium Service Pack 4 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes 32 bits Service Pack 1 ;
Microsoft N/A Microsoft SQL Server Management Studio Express (SSMSE) 2005 édition x64 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes x64 Service Pack 1 ;
Microsoft N/A Microsoft Visual Studio 2005 Service Pack 1 ;
Microsoft N/A Microsoft SQL Server 2008 pour systèmes Itanium Service Pack 2 ;
Microsoft N/A Microsoft SQL Server 2008 R2 pour systèmes x64 ;
Microsoft N/A Microsoft Visual Studio 2008 Service Pack 1 ;
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft SQL Server Management Studio Express (SSMSE) 2005 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 \u00c9dition x64 Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes x64 Service Pack 2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 R2 pour syst\u00e8mes Itanium ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft InfoPath 2007 Service Pack 2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes Itanium Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Express Edition Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 R2 pour syst\u00e8mes 32 bits ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 \u00c9dition x64 Service Pack 3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes 32 bits Service Pack 2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft InfoPath 2010 (\u00e9ditions 32 bits) ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2010.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft InfoPath 2010 (\u00e9ditions 64 bits) ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Service Pack 3 pour syst\u00e8mes Itanium ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Service Pack 3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 Express Edition Service Pack 3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2005 pour syst\u00e8mes Itanium Service Pack 4 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes 32 bits Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server Management Studio Express (SSMSE) 2005 \u00e9dition x64 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes x64 Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2005 Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 pour syst\u00e8mes Itanium Service Pack 2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2008 R2 pour syst\u00e8mes x64 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2008 Service Pack 1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans l\u0027\u00e9diteur de fichiers XML de\nMicrosoft inclus dans de nombreux logiciels comme SQL Server ou Visual\nStudio. Elle permet \u00e0 un utilisateur distant malintentionn\u00e9 de porter\natteinte \u00e0 la confidentialit\u00e9 de certaines donn\u00e9es au moyen d\u0027un fichier\nWeb Service Discovery (.disco) construit de fa\u00e7on particuli\u00e8re.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-1280",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1280"
    }
  ],
  "links": [],
  "reference": "CERTA-2011-AVI-357",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-06-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans l\u0027\u00e9diteur XML de Microsoft permet \u00e0 un\nutilisateur distant de porter atteinte \u00e0 la confidentialit\u00e9 de certaines\ndonn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 de l\u0027\u00e9diteur XML de Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS11-049 du 14 juin 2011",
      "url": "http://www.microsoft.com/technet/security/Bulletin/MS11-049.mspx"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.