Lucene search

PRIOn knowledge basePRION:CVE-2010-3332

HistorySep 22, 2010 - 7:00 p.m.

Buffer overflow

2010-09-2219:00:00

PRIOn knowledge base

www.prio-n.com

6.7 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.969 High

EPSS

Percentile

99.7%

JSON

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka “ASP.NET Padding Oracle Vulnerability.”

CPENameOperatorVersion
.net_frameworkeq1.1 sp1
.net_frameworkeq2.0 sp2
.net_frameworkeq2.0 sp1
.net_frameworkeq3.5 sp1
.net_frameworkeq3.5
.net_frameworkeq3.5.1
.net_frameworkeq4.0

Name	Operator	Version
.net_framework	eq	1.1 sp1
.net_framework	eq	2.0 sp2
.net_framework	eq	2.0 sp1
.net_framework	eq	3.5 sp1
.net_framework	eq	3.5
.net_framework	eq	3.5.1
.net_framework	eq	4.0

References

blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

isc.sans.edu/diary.html?storyid=9568

pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/

secunia.com/advisories/41409

securitytracker.com/id?1024459

threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx

www.ekoparty.org/juliano-rizzo-2010.php

www.microsoft.com/technet/security/advisory/2416728.mspx

www.mono-project.com/Vulnerabilities

www.securityfocus.com/bid/43316

www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

www.vupen.com/english/advisories/2010/2429

www.vupen.com/english/advisories/2010/2751

docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070

exchange.xforce.ibmcloud.com/vulnerabilities/61898

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365

twitter.com/thaidn/statuses/24832350146

weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

6.7 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.969 High

EPSS

Percentile

99.7%

JSON

Related for PRION:CVE-2010-3332