CVE-2016-3374 : The PDF library in Microsoft Edge, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 15

The PDF library in Microsoft Edge, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information via a crafted web site, aka "PDF Library Information Disclosure Vulnerability," a different vulnerability than CVE-2016-3370.

Published 2016-09-14 10:59:49

Updated 2018-10-12 22:12:49

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2016-3374

Probability of exploitation activity in the next 30 days: 5.90%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-3374

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-3374

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-3374

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-105

Microsoft Security Bulletin MS16-105 - Critical | Microsoft Docs

CVEs referencing this url
http://srcincite.io/advisories/src-2016-39/

Page not found · GitHub Pages
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-115

Microsoft Security Bulletin MS16-115 - Important | Microsoft Docs

CVEs referencing this url
http://www.securityfocus.com/bid/92838

Microsoft Windows PDF Library CVE-2016-3374 Remote Code Execution Vulnerability
http://www.securitytracker.com/id/1036789

Microsoft Edge Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code - SecurityTracker

CVEs referencing this url
http://blog.malerisch.net/2016/09/microsoft--out-of-bounds-read-pdf-library-cve-2016-3374.html

Microsoft Windows PDF Library Information Disclosure Vulnerability - CVE-2016-3374 (MS16-115)

Products affected by CVE-2016-3374

Microsoft » Windows Server 2012 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 8.1
cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Rt 8.1
cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: N/A
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1511
cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1607
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
Matching versions
Microsoft » Edge » Version: N/A
cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-3374

Exploit prediction scoring system (EPSS) score for CVE-2016-3374

CVSS scores for CVE-2016-3374

CWE ids for CVE-2016-3374

References for CVE-2016-3374

Products affected by CVE-2016-3374