CVE-2020-0989

EUVD-2020-2455

11.09.2020, 17:15

<p>An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files.</p>
<p>To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files.</p>
<p>The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.</p>

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
microsoft	CNA	5.5 MEDIUM				CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 73%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_server_2019	-

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

1709 (arm64, x64, x86)	KB4577041
1803 (arm64, x64, x86)	KB4577032
1809 (arm64, x64, x86)	KB4570333
1903 (arm64, x64, x86)	KB4574727
1909 (arm64, x64, x86)	KB4574727
2004 (arm64, x64, x86)	KB4571756

Windows Server

1903 Server Core	KB4574727
1909 Server Core	KB4574727
2004 Server Core	KB4571756

Windows Server 2019

Server Core	KB4570333
Standard	KB4570333

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0989