CVE-2009-0091

2009-10-1410:30:00

CWE-94

[email protected]

web.nvd.nist.gov

microsoft

.net framework

type-equality constraint

vulnerability

security

nvd

cve-2009-0091

7.3 High

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.584 Medium

EPSS

Percentile

97.7%

JSON

Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enforce a certain type-equality constraint in .NET verifiable code, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka “Microsoft .NET Framework Type Verification Vulnerability.”

CPENameOperatorVersion
microsoft:windows_2000microsoft windows 2000eq*
microsoft:.net_frameworkmicrosoft .net frameworkeq1.1
microsoft:.net_frameworkmicrosoft .net frameworkeq2.0
microsoft:windows_server_2003microsoft windows server 2003eq*
microsoft:windows_server_2008microsoft windows server 2008eq*
microsoft:windows_server_2008microsoft windows server 2008eq-
microsoft:.net_frameworkmicrosoft .net frameworkeq3.5
microsoft:windows_vistamicrosoft windows vistaeq*
microsoft:windows_7microsoft windows 7eq-
microsoft:.net_frameworkmicrosoft .net frameworkeq1.0

CPE	Name	Operator	Version
microsoft:windows_2000	microsoft windows 2000	eq	*
microsoft:.net_framework	microsoft .net framework	eq	1.1
microsoft:.net_framework	microsoft .net framework	eq	2.0
microsoft:windows_server_2003	microsoft windows server 2003	eq	*
microsoft:windows_server_2008	microsoft windows server 2008	eq	*
microsoft:windows_server_2008	microsoft windows server 2008	eq	-
microsoft:.net_framework	microsoft .net framework	eq	3.5
microsoft:windows_vista	microsoft windows vista	eq	*
microsoft:windows_7	microsoft windows 7	eq	-
microsoft:.net_framework	microsoft .net framework	eq	1.0