CVE-2018-8532 — Vulnetix

CVE-2018-8532 PUBLISHED CVSS 5.5 MEDIUM

An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533.

EPSS 47.85% · 97.8th percentile

Risk Scores

CVSS 3.0

5.5

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score

47.85%

97.8th percentile

Affected Products

Vendor	Product	Versions
Microsoft	SQL Server Management Studio 17.9	SQL Server Management Studio 17.9
microsoft	sql_server_management_studio	17.9, 18.0
Microsoft	SQL Server Management Studio 18.0	(Preview 4)

Exploit Intelligence

https://www.exploit-db.com/exploits/45587/ (nist-nvd)
CIRCL seen: CVE-2018-8532 (circl-sighting)
CIRCL exploited: CVE-2018-8532 (circl-sighting)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532 (circl)
1041826 (circl)
105475 (circl)
Microsoft SQL Server Management Studio 17.9 - .xmla XML External Entity Injection Vulnerability (0day-today)
Microsoft SQL Server Management Studio 17.9 - .xmla XML External Entity Injection Vulnerability (0day-today)

Timeline

Oct 10, 2018 CVE Published
Oct 11, 2018 PoC Published
Oct 11, 2018 PoC Published
Oct 17, 2018 PoC Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Feb 28, 2022 EPSS Score
May 2, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Nov 6, 2022 EPSS Score

References

https://portal.msrc.microsoft.com/fr-FR/security-guidance advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532 url
1041826 vdb
105475 vdb
45587 exploit
https://nvd.nist.gov/vuln/detail/CVE-2018-8532 advisory
https://www.exploit-db.com/exploits/45587 url

Open in Interactive Console →