製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Microsoft 製品における任意のファイルを読まれる脆弱性

Title	複数の Microsoft 製品における任意のファイルを読まれる脆弱性
Summary	複数の Microsoft 製品は、外部エンティティを適切に処理しないため、任意のファイルを読まれる脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工された .disco (Web Service Discovery) ファイルを介して、サービス運用妨害 (システムハング) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 14, 2011, midnight
Registration Date	June 27, 2011, 4:19 p.m.
Last Update	June 27, 2011, 4:19 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected System

マイクロソフト

Microsoft InfoPath 2007

Microsoft InfoPath 2010 (32-bit editions)

Microsoft InfoPath 2010 (64-bit editions)

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition

Microsoft SQL Server 2005 Express Edition with Advanced Services

Microsoft SQL Server 2005 for Itanium-based Systems

Microsoft SQL Server 2005 x64 Edition

Microsoft SQL Server 2008 for 32-bit Systems

Microsoft SQL Server 2008 for Itanium-based Systems

Microsoft SQL Server 2008 for x64-based Systems

Microsoft SQL Server 2008 R2 for 32-bit Systems

Microsoft SQL Server 2008 R2 for Itanium-based Systems

Microsoft SQL Server 2008 R2 for x64-based Systems

Microsoft SQL Server Management Studio Express (SSMSE) 2005

Microsoft SQL Server Management Studio Express (SSMSE) 2005 x64 Edition

Microsoft Visual Studio 2005

Microsoft Visual Studio 2008

Microsoft Visual Studio 2010

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1280	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1280
National Vulnerability Database (NVD)
2	CVE-2011-1280	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1280

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Microsoft Security Bulletin
1	MS11-049	http://www.microsoft.com/technet/security/bulletin/MS11-049.mspx
マイクロソフトセキュリティ情報
2	MS11-049	http://www.microsoft.com/japan/technet/security/bulletin/MS11-049.mspx
富士通セキュリティ情報
3	TA11-165A	http://software.fujitsu.com/jp/security/vulnerabilities/ta11-165a.html
絵でみるセキュリティ情報
4	MS11-049e	http://www.microsoft.com/japan/security/bulletins/MS11-049e.mspx

その他

No	Name	URL
JPCERT 緊急報告
1	JPCERT-AT-2011-0016	https://www.jpcert.or.jp/at/2011/at110016.txt
JVN
2	JVNTA11-165A	http://jvn.jp/cert/JVNTA11-165A
Secunia Advisory
3	SA44912	http://secunia.com/advisories/44912
SecurityFocus
4	48196	http://www.securityfocus.com/bid/48196
SecurityTracker
5	1025646	http://www.securitytracker.com/id/1025646
6	1025647	http://www.securitytracker.com/id/1025647
7	1025648	http://www.securitytracker.com/id/1025648
US-CERT Cyber Security Alerts
8	SA11-165A	http://www.us-cert.gov/cas/alerts/SA11-165A.html
US-CERT Technical Cyber Security Alert
9	TA11-165A	http://www.us-cert.gov/cas/techalerts/TA11-165A.html
警察庁 @police
10	マイクロソフト社のセキュリティ修正プログラムについて(MS11-037,038,039,040,041,042,043,044,045,046,047,048,049,050,051,052)(2011年06月15日)	http://www.npa.go.jp/cyberpolice/#topics

Change Log

No	Changed Details	Date of change
0	[2011年06月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1280

Summary	The XML Editor in Microsoft InfoPath 2007 SP2 and 2010; SQL Server 2005 SP3 and SP4 and 2008 SP1, SP2, and R2; SQL Server Management Studio Express (SSMSE) 2005; and Visual Studio 2005 SP1, 2008 SP1, and 2010 does not properly handle external entities, which allows remote attackers to read arbitrary files via a crafted .disco (Web Service Discovery) file, aka "XML External Entities Resolution Vulnerability."
Publication Date	June 17, 2011, 5:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:25 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:sql_server_management_studio_express:2005:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp4:express:::::*
cpe:2.3:a:microsoft:sql_server:2008:r2:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp2:x64:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp2:x32:::::*
cpe:2.3:a:microsoft:visual_studio:2005:sp1::::::
cpe:2.3:a:microsoft:office_infopath:2007:sp2::::::
cpe:2.3:a:microsoft:sql_server:2005:sp4:itanium:::::*
cpe:2.3:a:microsoft:sql_server_management_studio_express:2005::x64:::::
cpe:2.3:a:microsoft:sql_server:2005:sp4::::::
cpe:2.3:a:microsoft:visual_studio:2008:sp1::::::
cpe:2.3:a:microsoft:sql_server:2005:sp4:express_advanced_services:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp4:x64:::::*
cpe:2.3:a:microsoft:sql_server:2008:r2:x64:::::*
cpe:2.3:a:microsoft:visual_studio:2010:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:express:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:x64:::::*
cpe:2.3:a:microsoft:office_infopath:2010::x64:::::
cpe:2.3:a:microsoft:sql_server:2008:sp1:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:express_advanced_services:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp1:x64:::::*
cpe:2.3:a:microsoft:office_infopath:2010::x32:::::
cpe:2.3:a:microsoft:sql_server:2008:sp2:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://secunia.com/advisories/44912
2	http://www.securityfocus.com/bid/48196
3	http://www.securitytracker.com/id?1025646
4	http://www.securitytracker.com/id?1025647
5	http://www.securitytracker.com/id?1025648
6	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-049
7	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12664
8	http://secunia.com/advisories/44912
9	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12664
10	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-049
11	http://www.securitytracker.com/id?1025648
12	http://www.securitytracker.com/id?1025647
13	http://www.securitytracker.com/id?1025646
14	http://www.securityfocus.com/bid/48196

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:sql_server_management_studio_express:2005:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp4:express:::::*
cpe:2.3:a:microsoft:sql_server:2008:r2:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp2:x64:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp2:x32:::::*
cpe:2.3:a:microsoft:visual_studio:2005:sp1::::::
cpe:2.3:a:microsoft:office_infopath:2007:sp2::::::
cpe:2.3:a:microsoft:sql_server:2005:sp4:itanium:::::*
cpe:2.3:a:microsoft:sql_server_management_studio_express:2005::x64:::::
cpe:2.3:a:microsoft:sql_server:2005:sp4::::::
cpe:2.3:a:microsoft:visual_studio:2008:sp1::::::
cpe:2.3:a:microsoft:sql_server:2005:sp4:express_advanced_services:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp4:x64:::::*
cpe:2.3:a:microsoft:sql_server:2008:r2:x64:::::*
cpe:2.3:a:microsoft:visual_studio:2010:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:express:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:x64:::::*
cpe:2.3:a:microsoft:office_infopath:2010::x64:::::
cpe:2.3:a:microsoft:sql_server:2008:sp1:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:express_advanced_services:::::*
cpe:2.3:a:microsoft:sql_server:2008:sp1:x64:::::*
cpe:2.3:a:microsoft:office_infopath:2010::x32:::::
cpe:2.3:a:microsoft:sql_server:2008:sp2:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3:itanium:::::*
cpe:2.3:a:microsoft:sql_server:2005:sp3::::::