CVE-2018-8360

EUVD-2018-20007

15.08.2018, 17:29

An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.0, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 2.0, Microsoft .NET Framework 4.6/4.6.1/4.6.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Affected Products (NVD)

Vendor	Product	Version
microsoft	.net_framework	2.0:sp2
microsoft	.net_framework	3.0:sp2
microsoft	.net_framework	3.5
microsoft	.net_framework	3.5.1
microsoft	.net_framework	4.5.2
microsoft	.net_framework	4.6.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.2
microsoft	.net_framework	4.6
microsoft	.net_framework	4.6.1
microsoft	.net_framework	4.6.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.2
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.2
microsoft	.net_framework	4.7.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.2

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

(x64, x86)	KB4343892
1607 (x64, x86)	KB4343887
1703 (x64, x86)	KB4343885
1709 (x64, x86)	KB4343897
1803 (x64, x86)	KB4343909

Windows 7

Service Pack 1 (x64, x86)	KB4344167
Service Pack 1 (x64, x86)	KB4344177
Service Pack 1 (x64, x86)	KB4344173

Windows 8.1

(x64, x86)	KB4344166
(x64, x86)	KB4344178
(x64, x86)	KB4344171

Windows RT 8.1

All	KB4344145
All	KB4344147

Windows Server

1709 Server Core	KB4343897
1803 Server Core	KB4343909

Windows Server 2008

Service Pack 2 (x64, x86)	KB4344176
Service Pack 2 (x64, x86)	KB4344173

Windows Server 2008 R2

Service Pack 1 (x64)	KB4344177
Service Pack 1 (x64)	KB4344167
Service Pack 1 (x64)	KB4344173
Service Pack 1 Server Core (x64)	KB4344167
Service Pack 1 Server Core (x64)	KB4344177
Service Pack 1 Server Core (x64)	KB4344173

Windows Server 2012

Server Core	KB4344165
Server Core	KB4344175
Server Core	KB4344172
Standard	KB4344165
Standard	KB4344175
Standard	KB4344172

Windows Server 2012 R2

Server Core	KB4344166
Server Core	KB4344178
Server Core	KB4344171
Standard	KB4344166
Standard	KB4344178
Standard	KB4344171

Windows Server 2016

Server Core	KB4343887
Standard	KB4343887

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://www.securityfocus.com/bid/104986

http://www.securitytracker.com/id/1041462

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8360

http://www.securityfocus.com/bid/104986

http://www.securitytracker.com/id/1041462

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8360