{"api_version":"1","generated_at":"2026-04-23T04:09:15+00:00","cve":"CVE-2017-11786","urls":{"html":"https://cve.report/CVE-2017-11786","api":"https://cve.report/api/cve/CVE-2017-11786.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-11786","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-11786"},"summary":{"title":"CVE-2017-11786","description":"Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka \"Skype for Business Elevation of Privilege Vulnerability.\"","state":"PUBLIC","assigner":"secure@microsoft.com","published_at":"2017-10-13 13:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-294"],"metrics":[],"references":[{"url":"http://www.securitytracker.com/id/1039530","name":"1039530","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Microsoft Skype for Business Lets Remote Authenticated Users Gain Elevated Privileges - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/101156","name":"101156","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Microsoft Skype for Business CVE-2017-11786 Privilege Escalation Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786","name":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"{{windowTitle}}","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-11786","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-11786","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"11786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"lync","cpe6":"2013","cpe7":"sp1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"11786","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"lync","cpe6":"2013","cpe7":"sp1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"11786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"skype_for_business","cpe6":"2016","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"11786","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"skype_for_business","cpe6":"2016","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secure@microsoft.com","DATE_PUBLIC":"2017-10-10T00:00:00","ID":"CVE-2017-11786","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Skype for Business","version":{"version_data":[{"version_value":"Microsoft Lync 2013 SP1 and Skype for Business 2016"}]}}]},"vendor_name":"Microsoft Corporation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka \"Skype for Business Elevation of Privilege Vulnerability.\""}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Elevation of Privilege"}]}]},"references":{"reference_data":[{"name":"101156","refsource":"BID","url":"http://www.securityfocus.com/bid/101156"},{"name":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786","refsource":"CONFIRM","url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786"},{"name":"1039530","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1039530"}]}},"nvd":{"publishedDate":"2017-10-13 13:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-294"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"11786","Ordinal":"108933","Title":"CVE-2017-11786","CVE":"CVE-2017-11786","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"11786","Ordinal":"1","NoteData":"Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka \"Skype for Business Elevation of Privilege Vulnerability.\"","Type":"Description","Title":null},{"CveYear":"2017","CveId":"11786","Ordinal":"2","NoteData":"2017-10-13","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"11786","Ordinal":"3","NoteData":"2017-10-14","Type":"Other","Title":"Modified"}]}}}