Vulnerability CVE-2008-0075 - CERT Civis.Net

Vulnerability Name:

CVE-2008-0075 (CCN-39230)

Assigned:

2008-02-12

Published:

2008-02-12

Updated:

2020-11-23

Summary:

Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to execute arbitrary code via crafted inputs to ASP pages.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-94
CWE-noinfo

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-0075

Source: HP
Type: UNKNOWN
HPSBST02314

Source: CCN
Type: SA28893
Microsoft Internet Information Services Code Execution Vulnerability

Source: SECUNIA
Type: UNKNOWN
28893

Source: CCN
Type: SECTRACK ID: 1019385
Microsoft Internet Information Services Error in Processing ASP Page Input Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: ASA-2008-066
MS08-006 Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)

Source: CCN
Type: Microsoft Security Bulletin MS08-006
Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)

Source: CCN
Type: Microsoft Security Bulletin MS10-065
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)

Source: BID
Type: UNKNOWN
27676

Source: CCN
Type: BID-27676
Microsoft Internet Information Services ASP Remote Code Execution Vulnerability

Source: SECTRACK
Type: UNKNOWN
1019385

Source: CERT
Type: US Government Resource
TA08-043C

Source: VUPEN
Type: UNKNOWN
ADV-2008-0508

Source: MS
Type: UNKNOWN
MS08-006

Source: XF
Type: UNKNOWN
iis-htmlencode-code-execution(39230)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:5308

Vulnerable Configuration:

Configuration 1:

cpe:/a:microsoft:internet_information_services:6.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_server:6.0:beta:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:-:sp2:*:*:professional:*:x86:*

OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:5308	V	Internet Information Services Remote Code Execution Vulnerability	2011-11-14