Vulnerability Details : CVE-2010-3332
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Exploit prediction scoring system (EPSS) score for CVE-2010-3332
Probability of exploitation activity in the next 30 days: 96.93%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3332
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2010-3332
-
The product generates an error message that includes sensitive information about its environment, users, or associated data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3332
-
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
Understanding the ASP.NET Vulnerability – Microsoft Security Response CenterVendor Advisory
-
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
Threatpost | The first stop for security newsThird Party Advisory
-
http://securitytracker.com/id?1024459
Microsoft ASP.NET Padding Oracle Attack Lets Remote Users Decrypt Data - SecurityTrackerThird Party Advisory;VDB Entry
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
Microsoft Security Bulletin MS10-070 - Important | Microsoft DocsPatch;Vendor Advisory
-
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Troy Hunt: Fear, uncertainty and the padding oracle exploit in ASP.NETExploit;Third Party Advisory
-
http://www.vupen.com/english/advisories/2010/2751
Webmail | OVH- OVHThird Party Advisory
-
http://www.vupen.com/english/advisories/2010/2429
Webmail | OVH- OVHThird Party Advisory
-
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
ScottGu's Blog - Important: ASP.NET Security VulnerabilityMitigation;Third Party Advisory
-
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
Security researchers 'destroy' Microsoft ASP.NET security | TheINQUIRERThird Party Advisory
-
http://twitter.com/thaidn/statuses/24832350146
Twitter / ?Broken Link
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
Microsoft ASP.NET padding information disclosure CVE-2010-4007 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
Repository / Oval RepositoryThird Party Advisory
-
http://www.ekoparty.org/juliano-rizzo-2010.php
ekoparty security conferenceBroken Link
-
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
Vulnerabilities | MonoExploit;Third Party Advisory
-
http://isc.sans.edu/diary.html?storyid=9568
InfoSec Handlers Diary Blog - Microsoft Security Advisory for ASP.NETThird Party Advisory
-
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
Oracle Padding Vulnerability in ASP.NET > DNN SoftwareThird Party Advisory
-
http://www.securityfocus.com/bid/43316
Microsoft .NET Framework ASP.NET Padding Oracle Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
ASP.NET POET Vulnerability - What Else Can I Do? : The Penton-izerThird Party Advisory
-
http://www.microsoft.com/technet/security/advisory/2416728.mspx
Technical documentation, API, and code examples | Microsoft DocsBroken Link
Products affected by CVE-2010-3332
- cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.0:-:*:*:*:*:*:*