10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
HTTP Protocol Stack Remote Code Execution Vulnerability
Recent assessments:
architect00 at May 12, 2021 8:18am UTC reported:
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
Sources:
<https://twitter.com/GossiTheDog/status/1392211087601410054>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>
jheysel-r7 at May 17, 2021 7:38pm UTC reported:
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
Sources:
<https://twitter.com/GossiTheDog/status/1392211087601410054>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>
nu11secur1ty at July 10, 2021 9:26pm UTC reported:
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
Sources:
<https://twitter.com/GossiTheDog/status/1392211087601410054>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%