CVE-2017-8470 : Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Win

Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-8471, CVE-2017-8472, CVE-2017-8473, CVE-2017-8475, CVE-2017-8477, and CVE-2017-8484.

Published 2017-06-15 01:29:03

Updated 2019-03-19 13:48:42

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2017-8470

Microsoft » Windows Server 2008 » Version: N/A Update SP2
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Version: R2 Update SP1 For Itanium
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
Matching versions
Microsoft » Windows Server 2008 » Version: R2 Update SP1 For X64
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
Matching versions
Microsoft » Windows 7 » Version: N/A Update SP1
cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Rt 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: N/A
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1511
cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1607
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1703
cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-8470

EPSS FAQ

13.62%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-8470

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.0	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N	1.3	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-8470

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-8470

http://www.securityfocus.com/bid/98848

Microsoft Windows Kernel 'Win32k.sys' CVE-2017-8470 Local Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/42223/

Microsoft Windows - 'win32k!NtGdiExtGetObjectW' Kernel Stack Memory Disclosure
Exploit;Third Party Advisory;VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8470

CVE-2017-8470 | Windows Kernel Information Disclosure Vulnerability
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2017-8470

Products affected by CVE-2017-8470

Exploit prediction scoring system (EPSS) score for CVE-2017-8470

CVSS scores for CVE-2017-8470

CWE ids for CVE-2017-8470

References for CVE-2017-8470