8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.159 Low
EPSS
Percentile
95.3%
Scripting Engine Memory Corruption Vulnerability
Recent assessments:
gwillcox-r7 at July 14, 2021 5:02pm UTC reported:
Looking at Microsoft’s advisory at <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448> shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at <https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html> mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.
Further examination of <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448> using the Download
column (which is not enabled by default but can be added) shows several references to IE Cumulative Update
which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like <https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224> shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE’s scripting engine.
Users should ideally apply patches to fix this issue given it has been exploited in the wild already, however if this is not possible then users should disable JavaScript in their browsers as most scripting engine vulnerabilities rely on taking advantage of flaws in the JavaScript engine of a given browser, which requires the browser to have JavaScript enabled in the first place. Note that this will break the operation of most sites so patching is preferred where possible.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.159 Low
EPSS
Percentile
95.3%