CVE-2015-6125 — Improper Validation of Certificate with Host Mismatch in Microsoft Windows Server 2008

CWE-297 — Improper Validation of Certificate with Host Mismatch9 documents5 sources

Severity

9.3CRITICALNVD

EPSS

59.2%

top 1.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows Server 2008 Microsoft Windows Server 2012

Timeline

PublishedDec 9

Latest updateMay 14

Description

Use-after-free vulnerability in the DNS server in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted requests, aka "Windows DNS Use After Free Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

▶NVDmicrosoft/windowsr2

🔴Vulnerability Details

GHSA

GHSA-26g4-3p64-cvvp: Use-after-free vulnerability in the DNS server in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 allows remote attackers to↗2022-05-14

▶

📋Vendor Advisories

Red Hat

ruby: OpenSSL extension hostname matching implementation violates RFC 6125↗2015-03-30

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - December 2015↗2015-12-08

▶

Talos

Microsoft Patch Tuesday - December 2015↗2015-12-08

▶

💬Community

Bugzilla

CVE-2015-7826 botan: acceptance of invalid certificate names↗2016-02-24

▶

Bugzilla

CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125↗2015-04-08

▶