← back
CVE-2019-1148

Microsoft Graphics Component Information Disclosure Vulnerability

CVSS 5.5 MEDIUMEPSS 2.8%CWE-125
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.5EPSS 2.8%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
14 Aug 2019Published on NVD
15 Aug 2019Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Affected products
Microsoft · Microsoft Office 2019 for MacMicrosoft · Windows 10 Version 1507Microsoft · Windows 10 Version 1607Microsoft · Windows 10 Version 1703Microsoft · Windows 10 Version 1709Microsoft · Windows 10 Version 1709 for 32-bit SystemsMicrosoft · Windows 10 Version 1803Microsoft · Windows 10 Version 1809Microsoft · Windows 10 Version 1903 for 32-bit SystemsMicrosoft · Windows 10 Version 1903 for ARM64-based SystemsMicrosoft · Windows 10 Version 1903 for x64-based SystemsMicrosoft · Windows 7Microsoft · Windows 7 Service Pack 1Microsoft · Windows 8.1Microsoft · Windows Server 2008 R2 Service Pack 1Microsoft · Windows Server 2008 R2 Service Pack 1 (Server Core installation)Microsoft · Windows Server 2008 R2 Systems Service Pack 1Microsoft · Windows Server 2008 Service Pack 2Microsoft · Windows Server 2008 Service Pack 2Microsoft · Windows Server 2008 Service Pack 2 (Server Core installation)Microsoft · Windows Server 2012Microsoft · Windows Server 2012 R2Microsoft · Windows Server 2012 R2 (Server Core installation)Microsoft · Windows Server 2012 (Server Core installation)Microsoft · Windows Server 2016Microsoft · Windows Server 2016 (Server Core installation)Microsoft · Windows Server 2019Microsoft · Windows Server 2019 (Server Core installation)Microsoft · Windows Server, version 1803 (Server Core Installation)Microsoft · Windows Server, version 1903 (Server Core installation)
public PoCs found2
cve_referencepacketstormsecurity.com/files/154084/Microsoft-Font-Subsetting-DLL-GetGlyphId-Out-Of-Bounds-Read.htmlunverifiedexploitdbwww.exploit-db.com/exploits/47262unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/154084/Microsoft-Font-Subsetting-DLL-GetGlyphId-Out-Of-Bounds-Read.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1148