CVE-2019-0683 — Incorrect Default Permissions in Microsoft Windows

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

5.9MEDIUMNVD

EPSS

4.3%

top 11.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows Microsoft Windows Server Microsoft Windows Server 2008 +16 more

Timeline

PublishedApr 9

Latest updateMay 13

Description

An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages19 packages

▶msrcmsrc/windows_7

▶msrcmsrc/windows_10

▶msrcmsrc/windows_8.1

▶CVEListV5microsoft/windows7 for 32-bit Systems Service Pack 1, 7 for x64-based Systems Service Pack 1+1

▶NVDmicrosoft/windowsr2

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-8xv7-7xwv-fw3m: An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest↗2022-05-13

▶

📋Vendor Advisories

Microsoft

Active Directory Elevation of Privilege Vulnerability↗2019-03-12

▶