CVE-2019-1449 — Microsoft Office vulnerability

4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

5.7%

top 9.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Office Microsoft Office 365 Proplus Microsoft Office

Timeline

PublishedNov 12

Latest updateMay 24

Description

A security feature bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead to a standard user, any AppContainer sandbox, and Office LPAC Protected View to escalate privileges to SYSTEM.To exploit this bug, an attacker would have to run a specially crafted file, aka 'Microsoft Office ClickToRun Security Feature Bypass Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDmicrosoft/office2019

▶CVEListV5microsoft/microsoft_office2019 for 32-bit editions, 2019 for 64-bit editions+1

▶CVEListV5microsoft/office_365_proplus32-bit Systems, 64-bit Systems+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-hgr7-mfwx-6c5g: A security feature bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead↗2022-05-24

▶

CVEList

CVE-2019-1449: A security feature bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead↗2019-11-12

▶

📋Vendor Advisories

Microsoft

Microsoft Office ClickToRun Security Feature Bypass Vulnerability↗2019-11-12

▶