CVE-2008-0020 : Unspecified vulnerability in the Load method in the IPersistStreamInit interface

Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, aka "ATL Header Memcopy Vulnerability," a different vulnerability than CVE-2008-0015.

Published 2009-07-07 23:30:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionExecute code

Products affected by CVE-2008-0020

Microsoft » Windows Xp » Update SP2 Professional X64 Edition
cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Version: N/A Update SP2
cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Version: N/A Update SP3
cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Version: N/A Update SP2 X64 Edition
cpe:2.3:o:microsoft:windows_2003_server:-:sp2:x64:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Version: N/A Update SP2 Itanium Edition
cpe:2.3:o:microsoft:windows_2003_server:-:sp2:itanium:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Version: N/A Update SP2
cpe:2.3:o:microsoft:windows_2003_server:-:sp2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2008-0020

EPSS FAQ

36.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-0020

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2008-0020

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-0020

http://www.iss.net/threats/329.html

CVEs referencing this url
http://secunia.com/advisories/36187

About Secunia Research | Flexera
Vendor Advisory

CVEs referencing this url
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

Microsoft Security Bulletin MS09-037 - Critical | Microsoft Learn

CVEs referencing this url
http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

Microsoft Learn: Build skills that open doors in your career

CVEs referencing this url
http://www.us-cert.gov/cas/techalerts/TA09-223A.html

Microsoft Updates for Multiple Vulnerabilities | CISA
US Government Resource

CVEs referencing this url
http://www.vupen.com/english/advisories/2009/2232

Webmail: access your OVH emails on ovhcloud.com | OVHcloud
Patch;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id?1022712

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5850

Jump to

Vulnerability Details : CVE-2008-0020

Products affected by CVE-2008-0020

Exploit prediction scoring system (EPSS) score for CVE-2008-0020

CVSS scores for CVE-2008-0020

CWE ids for CVE-2008-0020

References for CVE-2008-0020