CVE-2009-1122
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass
Severity Score
7.5
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535.
La extension WebDAV en Microsoft Internet Information Services (IIS) v5.0 on Windows 2000 SP4 no decodifica adecuadamente las URLs, lo que permite a atacantes remotos evitar la autenticación, y posiblemente leer o crear ficheros, a través de una petición HTTP manipulada, también conocido como "Vulnerabilidad para evitar la autenticación de WebDAV en IIS v5.0"
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-03-25 CVE Reserved
- 2009-05-26 First Exploit
- 2009-06-10 CVE Published
- 2024-08-07 CVE Updated
- 2024-10-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.attrition.org/pipermail/vim/2009-June/002192.html | Mailing List | |
| http://www.securityfocus.com/bid/35232 | Third Party Advisory | |
| http://www.securitytracker.com/id?1022358 | Third Party Advisory | |
| http://www.us-cert.gov/cas/techalerts/TA09-160A.html | Third Party Advisory | |
| http://www.vupen.com/english/advisories/2009/1539 | Third Party Advisory | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5861 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/8806 | 2009-05-26 |
| URL | Date | SRC |
|---|---|---|
| https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020 | 2020-11-23 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | 5.0 Search vendor "Microsoft" for product "Internet Information Services" and version "5.0" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 2000 Search vendor "Microsoft" for product "Windows 2000" | - | sp4 |
Safe
|