Lucene search

[email protected]NVD:CVE-2010-3332

HistorySep 22, 2010 - 7:00 p.m.

CVE-2010-3332

2010-09-2219:00:06

CWE-209

[email protected]

web.nvd.nist.gov

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.1 Medium

AI Score

Confidence

Low

0.969 High

EPSS

Percentile

99.7%

JSON

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka “ASP.NET Padding Oracle Vulnerability.”

Affected configurations

NVD

Node

microsoft.net_frameworkMatch1.1sp1

microsoft.net_frameworkMatch2.0sp1

microsoft.net_frameworkMatch2.0sp2

microsoft.net_frameworkMatch3.5-

microsoft.net_frameworkMatch3.5sp1

microsoft.net_frameworkMatch3.5.1

microsoft.net_frameworkMatch4.0-

AND

microsoftinternet_information_servicesMatch-

References

blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

isc.sans.edu/diary.html?storyid=9568

pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/

secunia.com/advisories/41409

securitytracker.com/id?1024459

threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

twitter.com/thaidn/statuses/24832350146

weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx

www.ekoparty.org/juliano-rizzo-2010.php

www.microsoft.com/technet/security/advisory/2416728.mspx

www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle

www.securityfocus.com/bid/43316

www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

www.vupen.com/english/advisories/2010/2429

www.vupen.com/english/advisories/2010/2751

docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070

exchange.xforce.ibmcloud.com/vulnerabilities/61898

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.1 Medium

AI Score

Confidence

Low

0.969 High

EPSS

Percentile

99.7%

JSON

Related for NVD:CVE-2010-3332

openvas4 checkpoint_advisories2 nessus6 seebug1 mskb1 prion1 cvelist1 cve1 gentoo1