// For flags

CVE-2010-3332

Microsoft ASP.NET - Padding Oracle (MS10-070)

Severity Score

6.4
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

5
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Microsoft .NET Framework versiones 1.1 SP1, 2.0 SP1 y SP2, 3.5, 3.5 SP1, 3.5.1 y 4.0, tal y como es usado por ASP.NET de Internet Information Services (IIS) de Microsoft, proporciona códigos de error detallados durante los intentos de descifrado, lo que permite a los atacantes remotos descifrar y modificar los datos cifrados del formulario View State (también se conoce como __VIEWSTATE), y posiblemente falsificar cookies o leer archivos de aplicación, por medio de un ataque de tipo oracle padding, también se conoce como "ASP.NET Padding Oracle Vulnerability".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2010-09-14 CVE Reserved
  • 2010-09-22 CVE Published
  • 2010-10-06 First Exploit
  • 2024-08-07 CVE Updated
  • 2024-11-09 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (23)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
1.1
Search vendor "Microsoft" for product ".net Framework" and version "1.1"
sp1
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
2.0
Search vendor "Microsoft" for product ".net Framework" and version "2.0"
sp1
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
2.0
Search vendor "Microsoft" for product ".net Framework" and version "2.0"
sp2
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
3.5
Search vendor "Microsoft" for product ".net Framework" and version "3.5"
-
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
3.5
Search vendor "Microsoft" for product ".net Framework" and version "3.5"
sp1
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
3.5.1
Search vendor "Microsoft" for product ".net Framework" and version "3.5.1"
-
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe
Microsoft
Search vendor "Microsoft"
.net Framework
Search vendor "Microsoft" for product ".net Framework"
4.0
Search vendor "Microsoft" for product ".net Framework" and version "4.0"
-
Affected
in Microsoft
Search vendor "Microsoft"
Internet Information Services
Search vendor "Microsoft" for product "Internet Information Services"
--
Safe