Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-1364

CWE-400Uncontrolled Resource Consumption6 documents4 sources
Severity
7.5HIGH
EPSS
29.5%
top 3.39%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Asp.net
Timeline
PublishedMar 23
Latest updateMay 1

Description

Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-c7vq-ch45-23mm: Microsoft w3wp (aka w3wp2022-05-01
CVEList
CVE-2006-1364: Microsoft w3wp (aka w3wp2006-03-23

💥Exploits & PoCs

3
Exploit-DB
Oracle 9i/10g - 'extproc' Local/Remote Command Execution2006-12-19
Exploit-DB
ASP.NET w3wp - COM Components Remote Crash2006-03-22
Exploit-DB
Oracle 9i - Multiple Vulnerabilities2004-08-04
CVE-2006-1364 (HIGH CVSS 7.5) | Microsoft w3wp (aka w3wp.exe) does | cvebase.io