Vulnerability Name: | CVE-2004-0847 (CCN-17644) | ||||||||||||
Assigned: | 2004-09-14 | ||||||||||||
Published: | 2004-09-14 | ||||||||||||
Updated: | 2018-10-12 | ||||||||||||
Summary: | The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." | ||||||||||||
CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
| ||||||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-22 | ||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||
References: | Source: CCN Type: NTBugTraq Mailing List, Tue Sep 14 2004 - 06:42:28 CDT Security bug in .NET Forms Authentication Source: NTBUGTRAQ Type: Exploit, Vendor Advisory 20040914 Security bug in .NET Forms Authentication Source: CCN Type: NTBugTraq Mailing List, Thu Oct 07 2004 - 22:12:21 CDT More details on ASP.NET vulnerability Source: MITRE Type: CNA CVE-2004-0847 Source: MISC Type: Broken Link http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754 Source: CCN Type: Microsoft Knowledge Base Article 887459 Programmatically check for canonicalization issues with ASP.NET Source: CCN Type: Microsoft Security Bulletin MS12-035 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777) Source: CCN Type: Microsoft Security Bulletin MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing (2836440) Source: CCN Type: Microsoft Security Bulletin MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890) Source: CCN Type: Microsoft Security Bulletin MS15-080 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662) Source: CCN Type: Microsoft Security Bulletin MS15-097 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) Source: CCN Type: Microsoft Security Bulletin MS15-115 Security Update for Microsoft Windows to Address Remote Code Execution (3105864) Source: CCN Type: Microsoft Security Bulletin MS15-116 Security Updates for Microsoft Office to Address Remote Code Execution (3104540) Source: CCN Type: Microsoft Security Bulletin MS15-123 Security Update for Skype for Business and Lync to Address Information Disclosure (3105872) Source: CCN Type: Microsoft Security Bulletin MS15-128 Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503) Source: CCN Type: Microsoft Security Bulletin MS15-129 Security Update for Silverlight to Address Remote Code Execution (3106614) Source: CCN Type: Microsoft Security Bulletin MS15-131 Security Update for Microsoft Office to Address Remote Code Execution (3116111) Source: CCN Type: Microsoft Security Bulletin MS15-132 Security Update for Microsoft Windows to Address Remote Code Execution (3116162) Source: CCN Type: Microsoft Security Bulletin MS15-135 Security Update for Windows Kernel Mode Drivers to Address Elevation of Privilege (3119075) Source: CCN Type: Microsoft Security Bulletin MS16-004 Security Update for Microsoft Office to Address Remote Code Execution - Critical (3124585) Source: CCN Type: Microsoft Security Bulletin MS16-006 Security Update for Silverlight to Address Remote Code Execution (3126036) Source: CCN Type: Microsoft Security Bulletin MS16-008 Security Update for Kernel to Address Elevation of Privilege (3124605) Source: CCN Type: Microsoft Security Bulletin MS16-014 Security update for Microsoft Windows to Address Remote Code Execution (3134228) Source: CCN Type: Microsoft Security Bulletin MS16-015 Security Update for Microsoft Office to Address Remote Code Execution (3134226) Source: CCN Type: Microsoft Security Bulletin MS16-029 Security Update for Microsoft Office to Address Remote Code Execution (3141806) Source: CCN Type: Microsoft Security Bulletin MS16-031 Security Update for Microsoft Windows to Address Elevation of Privilege (3140410) Source: CCN Type: Microsoft Security Bulletin MS16-035 Security Update for .NET Framework to Address Security Feature Bypass (3141780) Source: CCN Type: Microsoft Security Bulletin MS16-042 Security Update for Microsoft Office (3148775) Source: CCN Type: Microsoft Security Bulletin MS16-044 Security Update for Windows OLE (3146706) Source: CCN Type: Microsoft Security Bulletin MS16-048 Security Update for CSRSS (3148528) Source: CCN Type: Microsoft Security Bulletin MS16-054 Security Update for Microsoft Office (3155544) Source: CCN Type: Microsoft Security Bulletin MS16-060 Security Update for Windows Kernel (3154846) Source: CCN Type: Microsoft Security Bulletin MS16-061 Security Update for Microsoft RPC (3155520) Source: CCN Type: Microsoft Security Bulletin MS16-070 Security Update for Office (3163610) Source: CCN Type: Microsoft Security Bulletin MS16-088 Security Updates for Office (3170008) Source: CCN Type: Microsoft Security Bulletin MS16-092 Security Update for Windows Kernel (3171910) Source: CCN Type: Microsoft Security Bulletin MS16-097 Security Update for Microsoft Graphics Component (3177393) Source: CCN Type: Microsoft Security Bulletin MS16-099 Security Update for Office (3177451) Source: CCN Type: Microsoft Security Bulletin MS16-106 Security Update for Microsoft Graphics Component (3185848) Source: CCN Type: Microsoft Security Bulletin MS16-107 Security Update for Microsoft Office (3185852) Source: CCN Type: Microsoft Security Bulletin MS16-109 Security Update for Silverlight (3182373) Source: CCN Type: Microsoft Security Bulletin MS16-111 Security Update for Windows Kernel (3186973) Source: CCN Type: Microsoft Security Bulletin MS16-120 Security Update for Microsoft Graphics Component (3192884) Source: CCN Type: Microsoft Security Bulletin MS16-121 Security Update for Microsoft Office (3194063) Source: CCN Type: Microsoft Security Bulletin MS16-122 Security Update for Microsoft Video Control (3195360) Source: CCN Type: Microsoft Security Bulletin MS16-123 Security Update for Kernel-Mode Drivers (3192892) Source: CCN Type: Microsoft Security Bulletin MS16-124 Security Update for Windows Registry (3193227) Source: CCN Type: Microsoft Security Bulletin MS16-126 Security Update for Microsoft Internet Messaging API (3196067) Source: CCN Type: Microsoft Security Bulletin MS16-131 Security Update for Microsoft Video Control (3199151) Source: CCN Type: Microsoft Security Bulletin MS16-133 Security Update for Microsoft Office (3199168) Source: CCN Type: Microsoft Security Bulletin MS16-139 Security Update for Windows Kernel (3199720) Source: CCN Type: Microsoft Security Bulletin MS16-148 Security Update for Microsoft Office (3204068) Source: CCN Type: Microsoft Security Bulletin MS16-155 Security Update for .NET Framework (3205640) Source: CCN Type: Microsoft Security Bulletin MS17-002 Security Update for Microsoft Office (3214291) Source: CCN Type: Microsoft Security Bulletin MS17-006 Cumulative Security Update for Internet Explorer (4013073) Source: CCN Type: Microsoft Security Bulletin MS17-013 Security Update for Microsoft Graphics Component (4013075) Source: CCN Type: Microsoft Security Bulletin MS17-014 Security Update for Microsoft Office (4013241) Source: CCN Type: CIAC Information Bulletin P-127 Microsoft ASP.NET Path Validation Vulnerability Source: CCN Type: US-CERT VU#283646 Microsoft ASP.NET fails to perform proper canonicalization Source: CERT-VN Type: Third Party Advisory, US Government Resource VU#283646 Source: CCN Type: Microsoft Corporation Web site Microsoft ASP.NET ValidatePath Module Source: CCN Type: Microsoft Security Bulletin MS05-004 ASP.NET Path Validation Vulnerability (887219) Source: CCN Type: Microsoft Security Bulletin MS07-040 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212) Source: CCN Type: Microsoft Security Bulletin MS09-061 Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378) Source: CCN Type: Microsoft Security Bulletin MS10-041 Vulnerabilities in the Microsoft .NET Framework Could Allow Tampering (981343) Source: CCN Type: Microsoft Security Bulletin MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906) Source: CCN Type: Microsoft Security Bulletin MS11-044 Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814) Source: CCN Type: Microsoft Security Bulletin MS11-078 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930) Source: BID Type: Third Party Advisory, VDB Entry 11342 Source: CCN Type: BID-11342 Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability Source: CERT Type: Third Party Advisory, US Government Resource TA05-039A Source: MS Type: UNKNOWN MS05-004 Source: XF Type: Third Party Advisory, VDB Entry windows-forms-security-bypass(17644) Source: XF Type: UNKNOWN ms-aspnet-security-bypass(17644) Source: OVAL Type: Third Party Advisory oval:org.mitre.oval:def:3556 Source: OVAL Type: Third Party Advisory oval:org.mitre.oval:def:4987 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
Oval Definitions | |||||||||||||
| |||||||||||||
BACK |