Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-3332 — Information Exposure via Error Message in Microsoft NET Framework

CWE-209 — Information Exposure via Error Message9 documents6 sources

Severity

6.4MEDIUMNVD

EPSS

83.6%

top 0.71%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft NET Framework

Timeline

PublishedSep 22

Latest updateMay 13

Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDmicrosoft/net_framework5 versions+4

Patches

Patch: docs.microsoft.com ↗Patch: docs.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-crcj-w6h9-q5f6: Microsoft↗2022-05-13

▶

CVEList

CVE-2010-3332: Microsoft↗2010-09-22

▶

VulnCheck

Microsoft .NET Framework Generation of Error Message Containing Sensitive Information↗2010

▶

💥Exploits & PoCs

Exploit-DB

Microsoft ASP.NET - Auto-Decryptor File Download (MS10-070)↗2010-10-20

▶

Exploit-DB

Microsoft ASP.NET - Padding Oracle File Download (MS10-070)↗2010-10-17

▶

Exploit-DB

Microsoft ASP.NET - Padding Oracle (MS10-070)↗2010-10-06

▶

🕵️Threat Intelligence

Talos

Rule Release for Today, Thursday September 23rd, 2010↗2010-09-23

▶

Talos

Rule Release for Today, Thursday September 23rd, 2010↗2010-09-23

▶