CVE-2017-8699 — Improper Input Validation in Corporation Windows Shell

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.0HIGHNVD

EPSS

30.6%

top 3.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Corporation Windows Shell Microsoft Windows 10 Microsoft Windows Server 2008 +13 more

Timeline

PublishedSep 13

Latest updateMay 17

Description

Windows Shell in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to run arbitrary code in the context of the current user, due to the way that Windows Shell validates file copy destinations, aka "Windows Shell Remote Code Execution Vulnerability".

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages15 packages

▶msrcmsrc/windows_server_2008

▶msrcmsrc/windows_server_2012

▶msrcmsrc/windows_server_2016

▶msrcmsrc/windows_server_2008_r2

▶msrcmsrc/windows_server_2012_r2

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-h4xw-vj67-jj9f: Windows Shell in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8↗2022-05-17

▶

📋Vendor Advisories

Microsoft

Windows Shell Remote Code Execution Vulnerability↗2017-09-12

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - September 2017↗2017-09-12

▶

💬Community

Bugzilla

CVE-2016-8685 CVE-2016-8686 CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703 CVE-2017-7263 potrace: Multiple ↗2016-10-17

▶