CVE-2020-1296: Windows Diagnostics & feedback Information Disclosure Vulnerability
Overview
- Severity
- Medium (CVSS 5)
- CVSS Vector
- CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
- Category
- Information Disclosure
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2020-Jun
- Released
- 2020-06-09
- Last Updated
- 2021-04-20
- EPSS Score
- 0.36% (percentile: 58.3%)
Description
A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft.
To exploit the vulnerability, an attacker would have to log on to an affected system and interact with the Windows Diagnostics & feedback Settings app.
The security update addresses the vulnerability by correcting the way the Windows Diagnostics & feedback Settings app handles objects in memory.
FAQ
What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Personally Identifiable Information (PII).
Affected Products (17)
Windows
- Windows 10 Version 1809 for 32-bit Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows Server, version 1909 (Server Core installation)
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows Server, version 2004 (Server Core installation)
- Windows 10 Version 2004 for x64-based Systems
Security Updates (3)
Acknowledgments
Kushal Arvind Shah of Fortinet's FortiGuard Labs
Revision History
- 2020-06-09: Information published.
- 2021-04-20: Corrected the Severity and Impact entries in the Security Updates table for all affected versions of Window 10 Version 2004 and Windows Server, version 2004. This is an informational change only. Customers who have already successfully installed the updates do not need to take any further action.