CVE-2019-1074

EUVD-2019-9656

15.07.2019, 19:15

An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios., aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1082.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_server_2019	-

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

1709 (arm64, x64, x86)	KB4507455
1803 (arm64, x64, x86)	KB4507435
1809 (arm64, x64, x86)	KB4507469
1903 (arm64, x64, x86)	KB4507453

Windows Server

1803 Server Core	KB4507435
1903 Server Core	KB4507453

Windows Server 2019

Server Core	KB4507469
Standard	KB4507469

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1074