CVE-2010-3332
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Published
2010-09-22T19:00:06.213
Last Modified
2025-04-11T00:51:21.963
Status
Deferred
Source
[email protected]
Severity
CVSSv2: 6.4 (MEDIUM)
CVSSv2 Vector
AV:N/AC:L/Au:N/C:P/I:P/A:N
- Access Vector: NETWORK
- Access Complexity: LOW
- Authentication: NONE
- Confidentiality Impact: PARTIAL
- Integrity Impact: PARTIAL
- Availability Impact: NONE
Exploitability Score
10.0
Impact Score
4.9
Weaknesses
Affected Vendors & Products
References
-
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
Vendor Advisory
([email protected])
-
http://isc.sans.edu/diary.html?storyid=9568
Third Party Advisory
([email protected])
-
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
Third Party Advisory
([email protected])
-
http://secunia.com/advisories/41409
Third Party Advisory
([email protected])
-
http://securitytracker.com/id?1024459
Third Party Advisory, VDB Entry
([email protected])
-
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
Third Party Advisory
([email protected])
-
http://twitter.com/thaidn/statuses/24832350146
Broken Link
([email protected])
-
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Mitigation, Third Party Advisory
([email protected])
-
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
Third Party Advisory
([email protected])
-
http://www.ekoparty.org/juliano-rizzo-2010.php
Broken Link
([email protected])
-
http://www.microsoft.com/technet/security/advisory/2416728.mspx
Broken Link
([email protected])
-
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
Exploit, Third Party Advisory
([email protected])
-
http://www.securityfocus.com/bid/43316
Third Party Advisory, VDB Entry
([email protected])
-
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
Third Party Advisory
([email protected])
-
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Exploit, Third Party Advisory
([email protected])
-
http://www.vupen.com/english/advisories/2010/2429
Third Party Advisory
([email protected])
-
http://www.vupen.com/english/advisories/2010/2751
Third Party Advisory
([email protected])
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
Patch, Vendor Advisory
([email protected])
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
Third Party Advisory, VDB Entry
([email protected])
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
Third Party Advisory
([email protected])
-
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://isc.sans.edu/diary.html?storyid=9568
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/41409
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://securitytracker.com/id?1024459
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://twitter.com/thaidn/statuses/24832350146
Broken Link
(af854a3a-2127-422b-91ae-364da2661108)
-
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Mitigation, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.ekoparty.org/juliano-rizzo-2010.php
Broken Link
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.microsoft.com/technet/security/advisory/2416728.mspx
Broken Link
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
Exploit, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.securityfocus.com/bid/43316
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Exploit, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.vupen.com/english/advisories/2010/2429
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.vupen.com/english/advisories/2010/2751
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
Patch, Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)