CVE-2017-11786

CWE-2944 documents4 sources
Severity
8.8HIGH
EPSS
11.5%
top 6.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Microsoft Corporation Skype FOR BusinessMicrosoft LyncMicrosoft Skype FOR Business
Timeline
PublishedOct 13
Latest updateMay 13

Description

Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5microsoft_corporation/skype_for_businessMicrosoft Lync 2013 SP1 and Skype for Business 2016
NVDmicrosoft/skype2016
NVDmicrosoft/lync2013

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-2xjh-35wj-vw46: Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewh2022-05-13
CVEList
CVE-2017-11786: Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewh2017-10-13

📋Vendor Advisories

1
Microsoft
Skype for Business Elevation of Privilege Vulnerability2017-10-10
CVE-2017-11786 (HIGH CVSS 8.8) | Skype for Business in Microsoft Lyn | cvebase.io