Multiple vulnerabilities in Microsoft Office
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-38048 CVE-2022-41043 CVE-2022-38001 |
| CWE-ID | CWE-416 CWE-200 CWE-451 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Microsoft Office LTSC 2021 Other software / Other software solutions Microsoft Office Client/Desktop applications / Office applications Microsoft 365 Apps for Enterprise Client/Desktop applications / Other client software |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU68151
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-38048
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when parsing DOCX files. A remote attacker can trick the victim to open a specially crafted Word file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Office LTSC 2021: 32 bit editions - 2021 for Mac
Microsoft Office: 2013 RT Service Pack 1 - 2019 for Mac
Microsoft 365 Apps for Enterprise: 32-bit Systems - 64-bit Systems
CPE2.3 External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38048
http://www.zerodayinitiative.com/advisories/ZDI-22-1411/
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Information disclosure
EUVDB-ID: #VU68154
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-41043
CWE-ID:
CWE-200 - Information Exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the Microsoft Office. A local user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Office LTSC 2021: 2021 for Mac
Microsoft Office: 2019 for Mac
CPE2.3 External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41043
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Spoofing attack
EUVDB-ID: #VU68152
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-38001
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in the Microsoft Office. A remote attacker can trick a victim to open a specially crafted file and spoof page content.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Office LTSC 2021: 32 bit editions - 64 bit editions
Microsoft Office: 2019
Microsoft 365 Apps for Enterprise: 32-bit Systems - 64-bit Systems
CPE2.3 External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38001
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
