6.4

CVE-2010-3332

Exploit
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Microsoft.Net Framework Version1.1 Updatesp1
Microsoft.Net Framework Version2.0 Updatesp1
Microsoft.Net Framework Version2.0 Updatesp2
Microsoft.Net Framework Version3.5 Update-
Microsoft.Net Framework Version3.5 Updatesp1
Microsoft.Net Framework Version3.5.1
Microsoft.Net Framework Version4.0 Update-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 67.48% 0.992
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
Vendor Advisory
http://isc.sans.edu/diary.html?storyid=9568
Third Party Advisory
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
Third Party Advisory
http://secunia.com/advisories/41409
Third Party Advisory
http://securitytracker.com/id?1024459
Third Party Advisory
VDB Entry
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
Third Party Advisory
http://twitter.com/thaidn/statuses/24832350146
Broken Link
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Third Party Advisory
Mitigation
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
Third Party Advisory
http://www.ekoparty.org/juliano-rizzo-2010.php
Broken Link
http://www.microsoft.com/technet/security/advisory/2416728.mspx
Broken Link
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
Third Party Advisory
Exploit
http://www.securityfocus.com/bid/43316
Third Party Advisory
VDB Entry
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
Third Party Advisory
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Third Party Advisory
Exploit
http://www.vupen.com/english/advisories/2010/2429
Third Party Advisory
http://www.vupen.com/english/advisories/2010/2751
Third Party Advisory
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
Patch
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
Third Party Advisory
VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
Third Party Advisory