CVE-2024-21351

Warnung

EPSS 6.23%
Veröffentlicht 13.02.2024 18:15:51
Zuletzt bearbeitet 29.11.2024 15:27:41
Quelle secure@microsoft.com
Teams Watchlist Login
Unerledigt Login

Windows SmartScreen Security Feature Bypass Vulnerability

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Windows 10 1507 Version < 10.0.10240.20469

Microsoft ≫ Windows 10 1607 Version < 10.0.14393.6709

Microsoft ≫ Windows 10 1809 Version < 10.0.17763.5458

Microsoft ≫ Windows 10 21h2 Version < 10.0.19044.4046

Microsoft ≫ Windows 10 22h2 Version < 10.0.19045.4046

Microsoft ≫ Windows 11 21h2 Version < 10.0.22000.2777

Microsoft ≫ Windows 11 22h2 Version < 10.0.22621.3155

Microsoft ≫ Windows 11 23h2 Version < 10.0.22631.3155

Microsoft ≫ Windows Server 2016 Version-

Microsoft ≫ Windows Server 2019 Version < 10.0.17763.5458

Microsoft ≫ Windows Server 2022 Version < 10.0.20348.2322

Microsoft ≫ Windows Server 2022 23h2 Version < 10.0.25398.709

13.02.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

Schwachstelle

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.23%	0.906

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secure@microsoft.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21351

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21351

EUVD