CVE-2010-3332

Summary

CVE	CVE-2010-3332
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-09-22 19:00:00 UTC
Updated	2020-11-23 19:50:00 UTC
Description	Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Risk And Classification

Problem Types: CWE-209

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Microsoft	.net Framework	1.1	sp1	All	All
Application	Microsoft	.net Framework	2.0	sp1	All	All
Application	Microsoft	.net Framework	2.0	sp2	All	All
Application	Microsoft	.net Framework	3.5	-	All	All
Application	Microsoft	.net Framework	3.5	sp1	All	All
Application	Microsoft	.net Framework	3.5.1	All	All	All
Application	Microsoft	.net Framework	4.0	-	All	All
Application	Microsoft	.net Framework	1.1	sp1	All	All
Application	Microsoft	.net Framework	2.0	sp1	All	All
Application	Microsoft	.net Framework	2.0	sp2	All	All
Application	Microsoft	.net Framework	3.5	-	All	All
Application	Microsoft	.net Framework	3.5	sp1	All	All
Application	Microsoft	.net Framework	3.5.1	All	All	All
Application	Microsoft	.net Framework	4.0	-	All	All
Application	Microsoft	Internet Information Services	-	All	All	All
Application	Microsoft	Internet Information Services	-	All	All	All

References

Reference	Source	Link	Tags
ekoparty Security Conference	MISC	www.ekoparty.org	Broken Link
Important: ASP.NET Security Vulnerability - ScottGu's Blog	CONFIRM	weblogs.asp.net	Mitigation, Third Party Advisory
DotNetNuke Blogs - Oracle Padding Vulnerability in ASP.NET	MISC	www.dotnetnuke.com	Third Party Advisory
JavaScript is not available.	MISC	twitter.com	Broken Link
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Understanding the ASP.NET Vulnerability - Security Research & Defense - Site Home - TechNet Blogs	CONFIRM	blogs.technet.com	Vendor Advisory
Microsoft Security Bulletin MS10-070 - Important \| Microsoft Docs	MS	docs.microsoft.com	Patch, Vendor Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
Your request has been blocked. This could be due to several reasons.	CONFIRM	www.microsoft.com	Broken Link
Vulnerabilities - Mono	CONFIRM	www.mono-project.com	Exploit, Third Party Advisory
Microsoft .NET Framework ASP.NET Padding Oracle Information Disclosure Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
ASP.NET POET Vulnerability - What Else Can I Do? : The Penton-izer	MISC	pentonizer.com	Third Party Advisory
Security researchers 'destroy' microsoft asp.net security - The Inquirer	MISC	www.theinquirer.net	Third Party Advisory
InfoSec Handlers Diary Blog	MISC	isc.sans.edu	Third Party Advisory
Troy Hunt: Fear, uncertainty and the padding oracle exploit in ASP.NET	MISC	www.troyhunt.com	Exploit, Third Party Advisory
SecurityTracker.com Archives - Microsoft ASP.NET Padding Oracle Attack Lets Remote Users Decrypt Data	SECTRACK	securitytracker.com	Third Party Advisory, VDB Entry
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com	Third Party Advisory, VDB Entry
'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps \| threatpost	MISC	threatpost.com	Third Party Advisory
Microsoft ASP.NET Cryptographic Padding Oracle Information Disclosure - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.