CVE-2018-8238 - OpenCVE

A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka "Skype for Business and Lync Security Feature Bypass Vulnerability." This affects Skype, Microsoft Lync.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Skype For Business Lync

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:lync:2013:sp1::::::
	cpe:2.3:a:microsoft:skype_for_business:2016:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/104619	Third Party Advisory VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microsoft

Published: 2018-07-11T00:00:00

Updated: 2018-07-11T09:57:01

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-8238

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-11T00:29:00.647

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-8238

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Skype", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Business 2016 (32-bit)"}, {"status": "affected", "version": "Business 2016 (64-bit)"}]}, {"product": "Microsoft Lync", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "2013 Service Pack 1 (32-bit)"}, {"status": "affected", "version": "2013 Service Pack 1 (64-bit)"}]}], "datePublic": "2018-07-10T00:00:00", "descriptions": [{"lang": "en", "value": "A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka \"Skype for Business and Lync Security Feature Bypass Vulnerability.\" This affects Skype, Microsoft Lync."}], "problemTypes": [{"descriptions": [{"description": "Security Feature Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T09:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "104619", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104619"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2018-8238", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Skype", "version": {"version_data": [{"version_value": "Business 2016 (32-bit)"}, {"version_value": "Business 2016 (64-bit)"}]}}, {"product_name": "Microsoft Lync", "version": {"version_data": [{"version_value": "2013 Service Pack 1 (32-bit)"}, {"version_value": "2013 Service Pack 1 (64-bit)"}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka \"Skype for Business and Lync Security Feature Bypass Vulnerability.\" This affects Skype, Microsoft Lync."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security Feature Bypass"}]}]}, "references": {"reference_data": [{"name": "104619", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104619"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238", "refsource": "CONFIRM", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"}]}}}}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2018-8238", "datePublished": "2018-07-11T00:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2018-07-11T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*", "matchCriteriaId": "8B854E18-7CB0-43F7-9EBF-E356FA176B2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*", "matchCriteriaId": "D499807D-91F3-447D-B9F0-D612898C9339", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka \"Skype for Business and Lync Security Feature Bypass Vulnerability.\" This affects Skype, Microsoft Lync."}, {"lang": "es", "value": "Existe una vulnerabilidad de omisi\u00f3n de la caracter\u00edstica de seguridad cuando Skype for Business o Lync no analizan correctamente los enlaces de ruta UNC compartidos mediante mensajes. Esto tambi\u00e9n se conoce como \"Skype for Business and Lync Security Feature Bypass Vulnerability\". Esto afecta a Skype y Microsoft Lync."}], "id": "CVE-2018-8238", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T00:29:00.647", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104619"}, {"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}