CVE-2020-1322: Microsoft Project Information Disclosure Vulnerability

Overview

Severity

N/A

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Jun

Released

2020-06-09

EPSS Score

25.13% (percentile: 96.2%)

Description

An information disclosure vulnerability exists when Microsoft Project reads out of bound memory due to an uninitialized variable. An attacker who successfully exploited the vulnerability could view out of bound memory that potentially could contain sensitive information. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Project. The security update addresses the vulnerability by properly initializing the affected variable.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (10)

Microsoft Office

• Microsoft Project 2013 Service Pack 1 (32-bit editions)
• Microsoft Project 2013 Service Pack 1 (64-bit editions)
• Microsoft Project 2016 (32-bit edition)
• Microsoft Project 2016 (64-bit edition)
• Microsoft Project 2010 Service Pack 2 (32-bit editions)
• Microsoft Project 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft 365 Apps for Enterprise for 32-bit Systems

Security Updates (6)

• 4484369
• 4484369
• 4484399
• 4484399
• 4484387
• 4484387

Acknowledgments

Dor Zvi of <a href="https://www.mimecast.com/blog/">Mimecast Research Labs</a>

Revision History

• 2020-06-09: Information published.