CVE-2017-11786
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."
Skype for Business en Microsoft Lync 2013 SP1 y Skype for Business 2016 permiten que un atacante robe un hash de autenticación que puede reutilizarse en otro sitio, debido a la forma en la que Skype for Business gestiona las peticiones de autenticación, lo que también se conoce como "Skype for Business Elevation of Privilege Vulnerability".
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-07-31 CVE Reserved
- 2017-10-13 CVE Published
- 2023-07-29 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-294: Authentication Bypass by Capture-replay
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/101156 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039530 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786 | 2019-10-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Lync Search vendor "Microsoft" for product "Lync" | 2013 Search vendor "Microsoft" for product "Lync" and version "2013" | sp1 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Skype For Business Search vendor "Microsoft" for product "Skype For Business" | 2016 Search vendor "Microsoft" for product "Skype For Business" and version "2016" | - |
Affected
| ||||||