CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2008-3068

Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.
Publish Date : 2008-07-07 Last Update Date : 2018-10-11
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
7.5
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access User
Vulnerability Type(s) Obtain Information
CWE ID CWE id is not defined for this vulnerability

- Products Affected By CVE-2008-3068

# Product Type Vendor Product Version Update Edition Language
1 Application Microsoft Access 2007 Version Details Vulnerabilities
2 Application Microsoft Excel 2003 Version Details Vulnerabilities
3 Application Microsoft Excel 2007 Version Details Vulnerabilities
4 Application Microsoft Frontpage 2003 Version Details Vulnerabilities
5 Application Microsoft Groove 2007 Version Details Vulnerabilities
6 Application Microsoft Infopath 2003 Version Details Vulnerabilities
7 Application Microsoft Infopath 2007 Version Details Vulnerabilities
8 Application Microsoft Office 2007 Version Details Vulnerabilities
9 Application Microsoft Office 2007 SP1 Version Details Vulnerabilities
10 Application Microsoft Office Communicator 2007 Version Details Vulnerabilities
11 Application Microsoft Onenote 2003 Version Details Vulnerabilities
12 Application Microsoft Outlook 2003 Version Details Vulnerabilities
13 Application Microsoft Outlook 2007 Version Details Vulnerabilities
14 Application Microsoft Powerpoint 2003 Version Details Vulnerabilities
15 Application Microsoft Powerpoint 2007 Version Details Vulnerabilities
16 Application Microsoft Project Professional 2007 Version Details Vulnerabilities
17 Application Microsoft Project Standard 2007 Version Details Vulnerabilities
18 Application Microsoft Publisher 2003 Version Details Vulnerabilities
19 Application Microsoft Publisher 2007 Version Details Vulnerabilities
20 Application Microsoft Sharepoint Designer 2007 Version Details Vulnerabilities
21 Application Microsoft Visio Professional 2007 Version Details Vulnerabilities
22 Application Microsoft Visio Standard 2007 Version Details Vulnerabilities
23 Application Microsoft Windows Live Mail 2008 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Microsoft Access 1
Microsoft Excel 2
Microsoft Frontpage 1
Microsoft Groove 1
Microsoft Infopath 2
Microsoft Office 2
Microsoft Office Communicator 1
Microsoft Onenote 1
Microsoft Outlook 2
Microsoft Powerpoint 2
Microsoft Project Professional 1
Microsoft Project Standard 1
Microsoft Publisher 2
Microsoft Sharepoint Designer 1
Microsoft Visio Professional 1
Microsoft Visio Standard 1
Microsoft Windows Live Mail 1

- References For CVE-2008-3068

https://www.cynops.de/techzone/http_over_x509.html
http://www.securitytracker.com/id?1019738
SECTRACK 1019738
https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
http://www.securitytracker.com/id?1019737
SECTRACK 1019737
http://securityreason.com/securityalert/3978
SREASON 3978
http://www.securitytracker.com/id?1019736
SECTRACK 1019736
http://www.securityfocus.com/archive/1/494101/100/0/threaded
BUGTRAQ 20080709 Re: Unauthorized reading confirmation from Outlook
http://www.securityfocus.com/bid/28548
BID 28548 Microsoft Crypto API X.509 Certificate Validation Remote Information Disclosure Vulnerability Release Date:2008-07-04
http://www.securityfocus.com/archive/1/493947/100/0/threaded
BUGTRAQ 20080703 Unauthorized reading confirmation from Outlook

- Metasploit Modules Related To CVE-2008-3068

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.