CVE-2010-3332

2010-09-2219:00:00

CWE-209

[email protected]

web.nvd.nist.gov

122

microsoft

.net framework

asp.net

padding oracle

vulnerability

cve-2010-3332

nvd

6.1 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.969 High

EPSS

Percentile

99.7%

JSON

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka “ASP.NET Padding Oracle Vulnerability.”

CPENameOperatorVersion
microsoft:.net_frameworkmicrosoft .net frameworkeq1.1
microsoft:.net_frameworkmicrosoft .net frameworkeq2.0
microsoft:.net_frameworkmicrosoft .net frameworkeq3.5
microsoft:.net_frameworkmicrosoft .net frameworkeq3.5.1
microsoft:.net_frameworkmicrosoft .net frameworkeq4.0

CPE	Name	Operator	Version
microsoft:.net_framework	microsoft .net framework	eq	1.1
microsoft:.net_framework	microsoft .net framework	eq	2.0
microsoft:.net_framework	microsoft .net framework	eq	3.5
microsoft:.net_framework	microsoft .net framework	eq	3.5.1
microsoft:.net_framework	microsoft .net framework	eq	4.0