Vulnerability Details : CVE-2018-8532
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533.
Vulnerability category: XML external entity (XXE) injectionInformation leak
Products affected by CVE-2018-8532
- cpe:2.3:a:microsoft:sql_server_management_studio:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server_management_studio:17.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-8532
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-8532
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2018-8532
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-8532
-
http://www.securityfocus.com/bid/105475
Microsoft SQL Server Management Studio CVE-2018-8532 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532
CVE-2018-8532 | SQL Server Management Studio Information Disclosure VulnerabilityPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/45587/
Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity InjectionExploit;Third Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1041826
Microsoft SQL Server XML External Entity Processing Flaws Let Remote Users Obtain Potentially Sensitive Information - SecurityTrackerThird Party Advisory;VDB Entry
Jump to