CVE-2019-1074 — Link Following in Microsoft Windows

CWE-59 — Link Following7 documents5 sources

Severity

7.8HIGHNVD

NVD5.5

EPSS

0.3%

top 45.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows Microsoft Windows Server Microsoft Windows 10 +18 more

Timeline

PublishedJul 15

Latest updateMay 24

Description

An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios., aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1082.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages19 packages

▶CVEListV5microsoft/windows9 versions+8

▶NVDmicrosoft/windowsr2, 1803, 1903+2

▶NVDmicrosoft/windows_105 versions+4

▶CVEListV5microsoft/windows_server9 versions+8

▶msrcmsrc/windows_server_2019

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-4vv7-rw65-fcg2: An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic li↗2022-05-24

▶

GHSA

GHSA-92mw-47w3-p78v: An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting↗2022-05-24

▶

📋Vendor Advisories

Microsoft

Microsoft Windows Elevation of Privilege Vulnerability↗2019-07-09

▶

🕵️Threat Intelligence

Zscaler

Zscaler found Multiple Security Vulnerabilities | 07-10-2019↗

▶

💬Community

Bugzilla

CVE-2019-10352 jenkins: Arbitrary file write vulnerability using file parameter definitions (SECURITY-1424)↗2019-07-17

▶