CVE-2022-29107: Microsoft Office Security Feature Bypass Vulnerability
Overview
- Severity
- Medium (CVSS 5.5)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
- Category
- Security Feature Bypass
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2022-May
- Released
- 2022-05-10
- EPSS Score
- 7.73% (percentile: 91.9%)
FAQ
Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who successfully exploited this vulnerability would be able to view Personally Identifiable Information (PII), bypassing the "ThisDocument.RemovePersonalInformation" expected functionality. The attacker would need to first gain access to a document protected in this way by the target.
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
A attacker would need to make use of the affected protection and then make the file accessible, either through direct file sharing, posting the file online, or another avenue of access.
Affected Products (15)
Microsoft Office
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit editions
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Word 2016 (32-bit edition)
- Microsoft Word 2016 (64-bit edition)
- Microsoft Publisher 2016 (32-bit edition)
- Microsoft Publisher 2016 (64-bit edition)
- Microsoft Publisher 2013 Service Pack 1 (32-bit editions)
- Microsoft Publisher 2013 Service Pack 1 (64-bit editions)
- Microsoft Word 2013 RT Service Pack 1
- Microsoft Word 2013 Service Pack 1 (32-bit editions)
- Microsoft Word 2013 Service Pack 1 (64-bit editions)
Security Updates (8)
Acknowledgments
Nathan Shomber of Microsoft
Revision History
- 2022-05-10: Information published.