CVE-2008-3004 - OpenCVE

Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Office Excel Viewer 2003; and Office 2004 and 2008 for Mac do not properly validate index values for AxesSet records when loading Excel files, which allows remote attackers to execute arbitrary code via a crafted Excel file, aka the "Excel Indexing Validation Vulnerability."

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Office Office Excel Viewer

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:office:2000:sp3::::::
	cpe:2.3:a:microsoft:office:2003:sp2::::::
	cpe:2.3:a:microsoft:office:2003:sp3::::::
	cpe:2.3:a:microsoft:office:xp:sp3::::::
	cpe:2.3:a:microsoft:office_excel_viewer:2003:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:microsoft:office:2004::mac:::::
	cpe:2.3:a:microsoft:office:2008::mac:::::

References

Link	Resource
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=740
http://marc.info/?l=bugtraq&m=121915960406986&w=2
http://secunia.com/advisories/31454	Vendor Advisory
http://www.securityfocus.com/bid/30638
http://www.securitytracker.com/id?1020670
http://www.us-cert.gov/cas/techalerts/TA08-225A.html	US Government Resource
http://www.vupen.com/english/advisories/2008/2347	Vendor Advisory
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-043
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5885

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microsoft

Published: 2008-08-12T23:00:00

Updated: 2018-10-12T19:57:01

Reserved: 2008-07-07T00:00:00

Link: CVE-2008-3004

JSON object: View

NVD Information

Status : Modified

Published: 2008-08-12T23:41:00.000

Modified: 2018-10-30T16:26:20.590

Link: CVE-2008-3004

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-08-12T00:00:00", "descriptions": [{"lang": "en", "value": "Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Office Excel Viewer 2003; and Office 2004 and 2008 for Mac do not properly validate index values for AxesSet records when loading Excel files, which allows remote attackers to execute arbitrary code via a crafted Excel file, aka the \"Excel Indexing Validation Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-12T19:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "1020670", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020670"}, {"name": "oval:org.mitre.oval:def:5885", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5885"}, {"name": "TA08-225A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"}, {"name": "HPSBST02360", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://marc.info/?l=bugtraq&m=121915960406986&w=2"}, {"name": "SSRT080117", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://marc.info/?l=bugtraq&m=121915960406986&w=2"}, {"name": "MS08-043", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-043"}, {"name": "20080812 Microsoft Excel Chart AxesSet Invalid Array Index Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=740"}, {"name": "31454", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31454"}, {"name": "30638", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/30638"}, {"name": "ADV-2008-2347", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2347"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2008-3004", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Office Excel Viewer 2003; and Office 2004 and 2008 for Mac do not properly validate index values for AxesSet records when loading Excel files, which allows remote attackers to execute arbitrary code via a crafted Excel file, aka the \"Excel Indexing Validation Vulnerability.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1020670", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1020670"}, {"name": "oval:org.mitre.oval:def:5885", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5885"}, {"name": "TA08-225A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"}, {"name": "HPSBST02360", "refsource": "HP", "url": "http://marc.info/?l=bugtraq&m=121915960406986&w=2"}, {"name": "SSRT080117", "refsource": "HP", "url": "http://marc.info/?l=bugtraq&m=121915960406986&w=2"}, {"name": "MS08-043", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-043"}, {"name": "20080812 Microsoft Excel Chart AxesSet Invalid Array Index Vulnerability", "refsource": "IDEFENSE", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=740"}, {"name": "31454", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31454"}, {"name": "30638", "refsource": "BID", "url": "http://www.securityfocus.com/bid/30638"}, {"name": "ADV-2008-2347", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2347"}]}}}}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2008-3004", "datePublished": "2008-08-12T23:00:00", "dateReserved": "2008-07-07T00:00:00", "dateUpdated": "2018-10-12T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office:2000:sp3:*:*:*:*:*:*", "matchCriteriaId": "4891122F-AD7F-45E6-98C6-833227916F6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*", "matchCriteriaId": "07D3F3E4-93FB-481A-94D9-075E726697C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*", "matchCriteriaId": "A332D04D-CC8C-4F68-A261-BA2F2D8EAD1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*", "matchCriteriaId": "79BA1175-7F02-4435-AEA6-1BA8AADEB7EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office_excel_viewer:2003:*:*:*:*:*:*:*", "matchCriteriaId": "0BB3D66F-9028-4703-9D6A-629331EEB492", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*", "matchCriteriaId": "9409A9BD-1E9B-49B8-884F-8FE569D8AA25", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*", "matchCriteriaId": "5BA91840-371C-4282-9F7F-B393F785D260", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Office Excel Viewer 2003; and Office 2004 and 2008 for Mac do not properly validate index values for AxesSet records when loading Excel files, which allows remote attackers to execute arbitrary code via a crafted Excel file, aka the \"Excel Indexing Validation Vulnerability.\""}, {"lang": "es", "value": "Microsoft Office Excel 2000 SP3, 2002 SP3 y 2003 SP2 y SP3; Office Excel Viewer 2003; y Office 2004 y 2008 para Mac no comprueban apropiadamente los valores de \u00edndice para los registros AxesSet al cargar archivos de Excel, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario por medio de un archivo de Excel creado, tambi\u00e9n se conoce como \"Excel Indexing Validation Vulnerability.\""}], "id": "CVE-2008-3004", "lastModified": "2018-10-30T16:26:20.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-08-12T23:41:00.000", "references": [{"source": "secure@microsoft.com", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=740"}, {"source": "secure@microsoft.com", "url": "http://marc.info/?l=bugtraq&m=121915960406986&w=2"}, {"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31454"}, {"source": "secure@microsoft.com", "url": "http://www.securityfocus.com/bid/30638"}, {"source": "secure@microsoft.com", "url": "http://www.securitytracker.com/id?1020670"}, {"source": "secure@microsoft.com", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"}, {"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2347"}, {"source": "secure@microsoft.com", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-043"}, {"source": "secure@microsoft.com", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5885"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}