CVE-2018-8319
CVSSN/A
发布时间 :2018-07-10 20:29:02
修订时间 :2018-07-11 21:29:06
NMPS    

[原文]A Security Feature Bypass vulnerability exists in MSR JavaScript Cryptography Library that is caused by incorrect arithmetic computations, aka "MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability." This affects Microsoft Research JavaScript Cryptography Library.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8319
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8319
(官方数据源) NVD

- 其它链接及资源

http://www.securityfocus.com/bid/104655
(UNKNOWN)  BID  104655
http://www.securitytracker.com/id/1041268
(UNKNOWN)  SECTRACK  1041268
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8319
(UNKNOWN)  CONFIRM  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8319

- 漏洞信息 (F148570)

Microsoft Security Bulletin CVE Revision Increment For July, 2018 (PacketStormID:F148570)
2018-07-16 00:00:00
 
advisory
CVE-2018-8319
[点击下载]

This Microsoft bulletin summary holds a CVE update for CVE-2018-8319.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

********************************************************************
Title: Microsoft Security Update Releases
Issued: July 16, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-8319

Revision Information:
=====================

 - CVE-2018-8319 | MSR JavaScript Cryptography Library Security 
   Feature Bypass Vulnerability
 - https://portal.msrc.microsoft.com/en-us/security-guidance/
   advisory/CVE-2018-8319
 - Reason for Revision: Information updated to announce the release 
   of MSR JavaScript Cryptography Library version 1.4.1.
 - Originally posted: July 10, 2018
 - Updated: July 16, 2018
 - Aggregate CVE Severity Rating: Important
 - Version: 2.0

 
Other Information
=================

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing 
a Microsoft security update, it is a hoax that may contain 
malware or pointers to malicious websites. Microsoft does 
not distribute security updates via email. 

The Microsoft Security Response Center (MSRC) uses PGP to digitally 
sign all security notifications. However, PGP is not required for 
reading security notifications, reading security bulletins, or 
installing security updates. You can obtain the MSRC public PGP key
at <https://technet.microsoft.com/security/dn753714>.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Microsoft respects your privacy. Please read our online Privacy
Statement at <http://go.microsoft.com/fwlink/?LinkId=81184>.

If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwizar
d.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.

These settings will not affect any newsletters youave requested or
any mandatory service communications that are considered part of
certain Microsoft services.

For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAltNDqkACgkQEEiO2re1
8ugZuA//XYYVhtnn79VmVjJADdEduhxpxkCvP14xCn0wOmbf2YDdB+Byt3JZPze6
wetGvYgqjkJ0YFF4DC5DFul2SmdYgh0z7NqPunD3shcaNQ4InoBTGUHLL2cyMDZG
VQtqi3xds6IQEb2GDmXjMpcXJPxRcCWAUIGdkC2x0Jh/Krxjl+nIMkJXSqc2pBXt
Nifw1rsz1kr+nixgrtH/1vpgEeMb7zRfQIaJrXv2tHQISIfrva8iylyJbXuh9Z62
OHtgIfWZMu0rARD10likOccSnqk7JG33BdetVTNZziGXpaU1YJ+xqoe+9RYJbi9X
Ujfb3GBBYa51ajQoIcH1NTSge5KDXtRnNRnma7GPPMVrxp/aygKSFjtrQN0416A7
YxhSgCaApj/EtDTKCUmz5ZVUUKjs6+rHBxTB4rdCHfEC4fuGoBm1Nllj4IShRJsR
HrygeosXYocubJHas2nY0q46Wwwqv+tGCZGGNQLnkhCg5wkb1c9+TyBvE+W/irIO
bMnL4fklDwcLesklM9DMJ5a+fPvYh8mq/LzZglAWkibEXldxNdy3vG1LAN9EOMya
AQpeZUYZP5iUrlZMblr5TctSSt34LW3TIdwxbfGrGUAiBwqWaerTKzNn6hSzraiC
B0X9PJuDJOw2GVnkqV3vGnpDtX/K1CWxQkiwH3TYUGuGUUUUask=
=YWvw
-----END PGP SIGNATURE-----
    

- 漏洞信息

Microsoft MSR JavaScript Cryptography Library CVE-2018-8319 Remote Security Bypass Vulnerability
Input Validation Error 104655
Yes No
2018-07-10 12:00:00 2018-07-10 12:00:00
Jonathan Burns, Colin McRae, and Ryan Speers of Ionic Security.

- 受影响的程序版本

Microsoft MSR JavaScript Cryptography Library 0

- 漏洞讨论

Microsoft MSR JavaScript Cryptography Library is prone to a remote security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站