KLA12577 PE vulnerability in Microsoft Browser

2022-06-30T00:00:00

Description

### *Detect date*: 06/30/2022 ### *Severity*: High ### *Description*: An elevation of privilege vulnerability was found in Microsoft Browser. Malicious users can exploit this vulnerability to gain privileges. ### *Affected products*: Microsoft Edge (Chromium-based) ### *Solution*: Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel) ### *Original advisories*: [CVE-2022-33680](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33680>) ### *Impacts*: PE ### *Related products*: [Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)

{"id": "KLA12577", "vendorId": null, "type": "kaspersky", "bulletinFamily": "info", "title": "KLA12577 PE vulnerability in Microsoft Browser", "description": "### *Detect date*:\n06/30/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Browser. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-33680](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33680>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)", "published": "2022-06-30T00:00:00", "modified": "2022-07-04T00:00:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.1}, "severity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA12577/", "reporter": "Kaspersky Lab", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33680", "https://threats.kaspersky.com/en/product/Microsoft-Edge/", "https://statistics.securelist.com/vulnerability-scan/month"], "cvelist": ["CVE-2022-33680"], "immutableFields": [], "lastseen": "2022-07-15T18:03:25", "viewCount": 7, "enchantments": {"score": {"value": 1.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-33680"]}, {"type": "mscve", "idList": ["MS:CVE-2022-33680"]}, {"type": "nessus", "idList": ["MICROSOFT_EDGE_CHROMIUM_103_0_1264_44.NASL"]}]}, "epss": [{"cve": "CVE-2022-33680", "epss": "0.001440000", "percentile": "0.486020000", "modified": "2023-03-19"}], "vulnersScore": 1.5}, "_state": {"score": 1659992473, "dependencies": 1659988328, "epss": 1679300024}, "_internal": {"score_hash": "399050e775cb90674b205cb3a4375d6b"}}

{"mscve": [{"lastseen": "2023-03-17T02:32:25", "description": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-06-30T07:00:00", "type": "mscve", "title": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30192", "CVE-2022-33638", "CVE-2022-33639", "CVE-2022-33680"], "modified": "2022-06-30T07:00:00", "id": "MS:CVE-2022-33680", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33680", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:30:19", "description": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-07-07T20:15:00", "type": "cve", "title": "CVE-2022-33680", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30192", "CVE-2022-33638", "CVE-2022-33639", "CVE-2022-33680"], "modified": "2022-07-15T15:29:00", "cpe": [], "id": "CVE-2022-33680", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33680", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "nessus": [{"lastseen": "2023-03-26T06:50:38", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 103.0.1264.44. It is, therefore, affected by a vulnerability as referenced in the June 30, 2022 advisory.\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639. (CVE-2022-33680)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-06-30T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 103.0.1264.44 Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30192", "CVE-2022-33638", "CVE-2022-33639", "CVE-2022-33680"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*"], "id": "MICROSOFT_EDGE_CHROMIUM_103_0_1264_44.NASL", "href": "https://www.tenable.com/plugins/nessus/162624", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162624);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-33680\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 103.0.1264.44 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 103.0.1264.44. It is, therefore, affected\nby a vulnerability as referenced in the June 30, 2022 advisory.\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from\n CVE-2022-30192, CVE-2022-33638, CVE-2022-33639. (CVE-2022-33680)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#june-30-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?83620a15\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33680\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 103.0.1264.44 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-33680\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '103.0.1264.44' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}