CVE-2009-2494

EPSS 60.59%
Published 12.08.2009 17:30:00
Last modified 09.04.2025 00:30:58
Source secure@microsoft.com
Teams watchlist Login
Open Login

The Active Template Library (ATL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via vectors related to erroneous free operations after reading a variant from a stream and deleting this variant, aka "ATL Object Type Mismatch Vulnerability."

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Windows 2000 Version- Updatesp4

Microsoft ≫ Windows Server 2003 Updatesp2

Microsoft ≫ Windows Server 2008 Editionitanium

Microsoft ≫ Windows Server 2008 Version- Update- Editionx32

Microsoft ≫ Windows Server 2008 Version- Update- Editionx64

Microsoft ≫ Windows Server 2008 Version- Updatesp2 Editionitanium

Microsoft ≫ Windows Server 2008 Version- Updatesp2 Editionx64

Microsoft ≫ Windows Server 2008 Version- Updatesp2 Editionx86

Microsoft ≫ Windows Vista

Microsoft ≫ Windows Vista Updatesp1

Microsoft ≫ Windows Vista Updatesp2

Microsoft ≫ Windows Vista Version- Updatesp1

Microsoft ≫ Windows Vista Version- Updatesp2

Microsoft ≫ Windows Xp Version- Updatesp2

Microsoft ≫ Windows Xp Version- Updatesp2 Editionx64

Microsoft ≫ Windows Xp Version- Updatesp3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	60.59%	0.982

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://secunia.com/advisories/36187

Vendor Advisory

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

US Government Resource

http://www.vupen.com/english/advisories/2009/2232

Vendor Advisory

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

http://www.securitytracker.com/id?1022712

http://osvdb.org/56910

http://www.securityfocus.com/bid/35982

Patch

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5708

https://nvd.nist.gov/vuln/detail/CVE-2009-2494

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-2494

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-2494

EUVD