NVD

CVE-2014-0322 Detail

Deferred

This CVE record is not being prioritized for NVD enrichment efforts due to resource or other concerns.

Description

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

ADP: CISA-ADP

Base Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx	CVE, Microsoft Corporation	Broken Link Permissions Required
http://technet.microsoft.com/security/advisory/2934088	CVE, Microsoft Corporation	Patch Vendor Advisory
http://twitter.com/nanoc0re/statuses/434251658344673281	CVE, Microsoft Corporation	Press/Media Coverage
http://www.exploit-db.com/exploits/32851	CVE, Microsoft Corporation	Exploit Third Party Advisory VDB Entry
http://www.exploit-db.com/exploits/32904	CVE, Microsoft Corporation	Exploit Third Party Advisory VDB Entry
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html	CVE, Microsoft Corporation	Broken Link
http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html	CVE, Microsoft Corporation	Broken Link
http://www.kb.cert.org/vuls/id/732479	CVE, Microsoft Corporation	Third Party Advisory US Government Resource
http://www.osvdb.org/103354	CVE, Microsoft Corporation	Broken Link
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012	CVE, Microsoft Corporation	Patch Vendor Advisory
https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip	CVE, Microsoft Corporation	Broken Link Exploit

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name	Date Added	Due Date	Required Action
Microsoft Internet Explorer Use-After-Free Vulnerability	05/04/2022	05/25/2022	Apply updates per vendor instructions.

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST CISA-ADP

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

9 change records found show changes

Modified Analysis by NIST 3/14/2025 4:17:00 PM

Action	Type	Old Value	New Value
Changed	CPE Configuration	AND OR cpe:2.3:a:microsoft:internet_explorer:10::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_rt:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*	AND OR cpe:2.3:a:microsoft:internet_explorer:10::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_rt:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
Changed	CPE Configuration	AND OR cpe:2.3:a:microsoft:internet_explorer:10::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_rt:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*	AND OR cpe:2.3:a:microsoft:internet_explorer:10::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_rt:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
Changed	CPE Configuration	AND OR cpe:2.3:a:microsoft:internet_explorer:9::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_server_2008:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_vista:-:::::::*	AND OR cpe:2.3:a:microsoft:internet_explorer:9::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_server_2008:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_vista:-:::::::*
Changed	CPE Configuration	AND OR cpe:2.3:a:microsoft:internet_explorer:9::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_server_2008:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_vista:-:::::::*	AND OR cpe:2.3:a:microsoft:internet_explorer:9::::::: OR cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_server_2008:-:::::::* cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_vista:-:::::::*

CVE Modified by CVE 11/20/2024 9:01:52 PM

Action	Type	New Value
Added	Reference	http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx
Added	Reference	http://technet.microsoft.com/security/advisory/2934088
Added	Reference	http://twitter.com/nanoc0re/statuses/434251658344673281
Added	Reference	http://www.exploit-db.com/exploits/32851
Added	Reference	http://www.exploit-db.com/exploits/32904
Added	Reference	http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html
Added	Reference	http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
Added	Reference	http://www.kb.cert.org/vuls/id/732479
Added	Reference	http://www.osvdb.org/103354
Added	Reference	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012
Added	Reference	https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip

Modified Analysis by NIST 7/02/2024 12:50:50 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Changed	CPE Configuration	OR cpe:2.3:a:microsoft:internet_explorer:9::::::: cpe:2.3:a:microsoft:internet_explorer:10:::::::	AND OR cpe:2.3:a:microsoft:internet_explorer:9::::::: OR cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_server_2008:-:::::::* cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_vista:-:::::::*
Added	CPE Configuration		AND OR cpe:2.3:a:microsoft:internet_explorer:10::::::: OR cpe:2.3:o:microsoft:windows_7:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_rt:-:::::::* cpe:2.3:o:microsoft:windows_server_2008:r2:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
Changed	Reference Type	http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx Permissions Required	http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx Broken Link, Permissions Required
Changed	Reference Type	http://technet.microsoft.com/security/advisory/2934088 Mitigation, Patch, Vendor Advisory	http://technet.microsoft.com/security/advisory/2934088 Patch, Vendor Advisory
Changed	Reference Type	http://www.exploit-db.com/exploits/32851 Exploit	http://www.exploit-db.com/exploits/32851 Exploit, Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.exploit-db.com/exploits/32904 Exploit	http://www.exploit-db.com/exploits/32904 Exploit, Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.osvdb.org/103354 No Types Assigned	http://www.osvdb.org/103354 Broken Link
Changed	Reference Type	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012 No Types Assigned	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012 Patch, Vendor Advisory
Changed	Reference Type	https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip Exploit	https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip Broken Link, Exploit

Modified Analysis by NIST 9/02/2016 9:34:46 PM

Action	Type	Old Value	New Value
Added	CWE		CWE-416
Removed	CWE	CWE-399
Changed	CPE Configuration	Configuration 1 OR cpe:2.3:a:microsoft:internet_explorer:10:::::::	Configuration 1 OR cpe:2.3:a:microsoft:internet_explorer:9::::::: cpe:2.3:a:microsoft:internet_explorer:10:::::::
Changed	Reference Type	http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx No Types Assigned	http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx Permissions Required
Changed	Reference Type	http://technet.microsoft.com/security/advisory/2934088 No Types Assigned	http://technet.microsoft.com/security/advisory/2934088 Mitigation, Vendor Advisory, Patch
Changed	Reference Type	http://technet.microsoft.com/security/bulletin/MS14-012 No Types Assigned	http://technet.microsoft.com/security/bulletin/MS14-012 Mitigation, Vendor Advisory, Patch
Changed	Reference Type	http://twitter.com/nanoc0re/statuses/434251658344673281 No Types Assigned	http://twitter.com/nanoc0re/statuses/434251658344673281 Press/Media Coverage
Changed	Reference Type	http://www.exploit-db.com/exploits/32851 No Types Assigned	http://www.exploit-db.com/exploits/32851 Exploit
Changed	Reference Type	http://www.exploit-db.com/exploits/32904 No Types Assigned	http://www.exploit-db.com/exploits/32904 Exploit
Changed	Reference Type	http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html No Types Assigned	http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html Broken Link
Changed	Reference Type	http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html No Types Assigned	http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html Broken Link
Changed	Reference Type	http://www.kb.cert.org/vuls/id/732479 US Government Resource	http://www.kb.cert.org/vuls/id/732479 Third Party Advisory, US Government Resource
Changed	Reference Type	https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip No Types Assigned	https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip Exploit

Quick Info

CVE Dictionary Entry:
CVE-2014-0322
NVD Published Date:
02/14/2014
NVD Last Modified:
04/10/2025
Source:
Microsoft Corporation

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2014-0322 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Modified Analysis by NIST 3/14/2025 4:17:00 PM

CVE Modified by CISA-ADP 2/10/2025 2:15:32 PM

Modified Analysis by NIST 12/19/2024 2:21:37 PM

CVE Modified by CVE 11/20/2024 9:01:52 PM

Modified Analysis by NIST 7/02/2024 12:50:50 PM

CVE Modified by Microsoft Corporation 5/13/2024 11:06:58 PM

CVE Modified by Microsoft Corporation 10/12/2018 6:05:53 PM

Modified Analysis by NIST 9/02/2016 9:34:46 PM

Initial CVE Analysis 2/18/2014 11:33:47 AM

Quick Info