CVE-2010-3332
Microsoft ASP.NET - Padding Oracle (MS10-070)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
-Decision
Descriptions
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Microsoft .NET Framework versiones 1.1 SP1, 2.0 SP1 y SP2, 3.5, 3.5 SP1, 3.5.1 y 4.0, tal y como es usado por ASP.NET de Internet Information Services (IIS) de Microsoft, proporciona códigos de error detallados durante los intentos de descifrado, lo que permite a los atacantes remotos descifrar y modificar los datos cifrados del formulario View State (también se conoce como __VIEWSTATE), y posiblemente falsificar cookies o leer archivos de aplicación, por medio de un ataque de tipo oracle padding, también se conoce como "ASP.NET Padding Oracle Vulnerability".
CVSS Scores
SSVC
- Decision:-
Timeline
- 2010-09-14 CVE Reserved
- 2010-09-22 CVE Published
- 2010-10-06 First Exploit
- 2024-08-07 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (23)
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/15213 | 2010-10-06 | |
https://www.exploit-db.com/exploits/15265 | 2010-10-17 | |
https://www.exploit-db.com/exploits/15292 | 2010-10-20 | |
http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle | 2024-08-07 | |
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html | 2024-08-07 |
URL | Date | SRC |
---|---|---|
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070 | 2020-11-23 |
URL | Date | SRC |
---|---|---|
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx | 2020-11-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 1.1 Search vendor "Microsoft" for product ".net Framework" and version "1.1" | sp1 |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 2.0 Search vendor "Microsoft" for product ".net Framework" and version "2.0" | sp1 |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 2.0 Search vendor "Microsoft" for product ".net Framework" and version "2.0" | sp2 |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 3.5 Search vendor "Microsoft" for product ".net Framework" and version "3.5" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 3.5 Search vendor "Microsoft" for product ".net Framework" and version "3.5" | sp1 |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 3.5.1 Search vendor "Microsoft" for product ".net Framework" and version "3.5.1" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|
Microsoft Search vendor "Microsoft" | .net Framework Search vendor "Microsoft" for product ".net Framework" | 4.0 Search vendor "Microsoft" for product ".net Framework" and version "4.0" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | - | - |
Safe
|