Vulnerability-Lookup - Search a vulnerability

Vulnerabilites related to Microsoft Corporation - Microsoft Teams

jvndb-2019-000014

Vulnerability from jvndb

Published

2019-04-02 14:18

Modified

2020-04-01 16:55

Severity ?

7.8 (High) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

The installer of Microsoft Teams may insecurely load Dynamic Link Libraries

Details

The installer of Microsoft Teams contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting", thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft. Asuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

►

Type

URL

	JVN	http://jvn.jp/en/jp/JVN79543573/index.html
	JVN	https://jvn.jp/en/ta/JVNTA91240916/
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5922
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-5922
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

►

Vendor

Product

Microsoft Corporation

Microsoft Teams

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000014.html",
  "dc:date": "2020-04-01T16:55+09:00",
  "dcterms:issued": "2019-04-02T14:18+09:00",
  "dcterms:modified": "2020-04-01T16:55+09:00",
  "description": "The installer of Microsoft Teams contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).\r\nMicrosoft states that the root cause of this vulnerability is \"Application Directory (App Dir) DLL planting\", thus there is no plan to release any security updates to address this issue.\r\n\r\nFor details, refer to \"Application Directory (App Dir) DLL planting\" released by Microsoft.\r\n\r\nAsuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000014.html",
  "sec:cpe": {
    "#text": "cpe:/a:microsoft:teams",
    "@product": "Microsoft Teams",
    "@vendor": "Microsoft Corporation",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "6.8",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2019-000014",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN79543573/index.html",
      "@id": "JVN#79543573",
      "@source": "JVN"
    },
    {
      "#text": "https://jvn.jp/en/ta/JVNTA91240916/",
      "@id": "JVNTA#91240916",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5922",
      "@id": "CVE-2019-5922",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5922",
      "@id": "CVE-2019-5922",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "The installer of Microsoft Teams may insecurely load Dynamic Link Libraries"
}