CVE-2022-33632: Microsoft Office Security Feature Bypass Vulnerability
Overview
- Severity
- Medium (CVSS 4.7)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
- Category
- Security Feature Bypass
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2022-Jul
- Released
- 2022-07-12
- EPSS Score
- 0.64% (percentile: 70.5%)
FAQ
According to the CVSS metric, the attack vector is local (AV:L) but no privileges are required (PR:N) and user interaction is required (UI:R). How could an attacker exploit this security feature bypass vulnerability?
The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.
Affected Products (11)
Microsoft Office
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit editions
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office 2016 (32-bit edition)
- Microsoft Office 2016 (64-bit edition)
- Microsoft Office 2013 RT Service Pack 1
- Microsoft Office 2013 Service Pack 1 (32-bit editions)
- Microsoft Office 2013 Service Pack 1 (64-bit editions)
Security Updates (4)
Acknowledgments
Nathan Shomber of Microsoft
Revision History
- 2022-07-12: Information published.