CVE-2007-5277 — Failing Open in Microsoft Internet Explorer

CWE-636 — Failing Open CWE-657 — Violation of Secure Design Principles4 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

11.5%

top 6.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Internet Explorer

Timeline

PublishedOct 8

Latest updateMay 1

Description

Microsoft Internet Explorer 6 drops DNS pins based on failed connections to irrelevant TCP ports, which makes it easier for remote attackers to conduct DNS rebinding attacks, as demonstrated by a port 81 URL in an IMG SRC, when the DNS pin had been established for a session on port 80, a different issue than CVE-2006-4560.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmicrosoft/internet_explorer6.0

🔴Vulnerability Details

GHSA

GHSA-rxph-92gh-ccv4: Microsoft Internet Explorer 6 drops DNS pins based on failed connections to irrelevant TCP ports, which makes it easier for remote attackers to conduc↗2022-05-01

▶

📐Framework References

CWE

Not Failing Securely ('Failing Open')↗

▶

CWE

Violation of Secure Design Principles↗

▶