Vulnerability Name:

CVE-2012-2531 (CCN-77358)

Assigned:2012-11-13
Published:2012-11-13
Updated:2021-02-05
Summary:Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2012-2531

Source: CCN
Type: SA51235
Microsoft Internet Information Services Two Information Disclosure Vulnerabilities

Source: CCN
Type: Microsoft Security Bulletin MS12-073
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829)

Source: BID
Type: Third Party Advisory, VDB Entry
56439

Source: CCN
Type: BID-56439
Microsoft IIS CVE-2012-2531 Password Information Disclosure Vulnerability

Source: MS
Type: UNKNOWN
MS12-073

Source: XF
Type: UNKNOWN
ms-iis-logfiles-info-disc(77358)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:15959

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_server_2008:*:r2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x86:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x64:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:15959
    V
    		Password Disclosure Vulnerability - MS12-073
    2014-08-18
    BACK
    microsoft windows server 2008 * r2
    microsoft windows server 2008 * r2
    microsoft windows 7 -
    microsoft windows 7 - sp1
    microsoft windows 7 - sp1
    microsoft windows server 2008 -
    microsoft windows vista - sp2
    microsoft windows vista - sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2
    microsoft windows 7 -
    microsoft windows server 2008 - r2
    microsoft windows server 2008 r2
    microsoft windows 7 - sp1
    microsoft windows server 2008 r2 sp1
    microsoft windows server 2008 r2 sp1