CVE-2010-3332

high

Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

References

Advisories
More

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365

https://exchange.xforce.ibmcloud.com/vulnerabilities/61898

http://www.vupen.com/english/advisories/2010/2751

http://www.vupen.com/english/advisories/2010/2429

http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

http://www.securityfocus.com/bid/43316

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

http://securitytracker.com/id?1024459

http://secunia.com/advisories/41409

http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/

http://isc.sans.edu/diary.html?storyid=9568

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

Details

Source: Mitre, NVD

Published: 2010-09-22

Updated: 2025-04-11

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.89683