SecuriTricks - CVE-2024-49059

Description

Microsoft Office Elevation of Privilege Vulnerability

Product(s) Impacted

Vendor	Product	Versions
Microsoft	365 Apps Office Office Long Term Servicing Channel	- 2016, 2019 2021, 2024

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	microsoft	365_apps	-	/	/	/	enterprise	/	/	/
a	microsoft	office	2016	/	/	/	/	/	/	/
a	microsoft	office	2019	/	/	/	/	/	/	/
a	microsoft	office_long_term_servicing_channel	2021	/	/	/	/	/	/	/
a	microsoft	office_long_term_servicing_channel	2024	/	/	/	/	/	/	/

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49059

CVSS Score

7.0 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Dec. 12, 2024, 2:04 a.m.
Last Modified: Jan. 8, 2025, 12:40 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secure@microsoft.com

CVE-2024-49059