Vulnerability Name:

CVE-2013-3185 (CCN-86072)

Assigned:2013-08-13
Published:2013-08-13
Updated:2020-09-28
Summary:Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 on Windows Server 2003 R2 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allows remote attackers to obtain sensitive information about the service account, and possibly conduct account-lockout attacks, by connecting to an endpoint, aka "AD FS Information Disclosure Vulnerability."
CVSS v3 Severity:7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
5.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2013-3185

Source: CCN
Type: SA54459
Microsoft Windows Active Directory Federation Services Information Disclosure Vulnerability

Source: CCN
Type: Microsoft Security Bulletin MS13-066
Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)

Source: CCN
Type: BID-61672
Microsoft Active Directory Federation Services CVE-2013-3185 Information Disclosure Vulnerability

Source: CERT
Type: Third Party Advisory, US Government Resource
TA13-225A

Source: MS
Type: UNKNOWN
MS13-066

Source: XF
Type: UNKNOWN
ms-adfs-cve20133185-info-disc(86072)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:18318

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:active_directory_federation_services:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:active_directory_federation_services:2.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2003:r2:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:18318
    V
    		Vulnerability in Active Directory Federation Services could allow information disclosure - MS13-066
    2015-08-10
    BACK
    microsoft active directory federation services 2.0
    microsoft active directory federation services 2.1
    microsoft windows server 2008 * sp2
    microsoft windows server 2008 * sp2
    microsoft windows server 2012 -
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2003 r2 sp2
    microsoft windows server 2008 r2 sp1
    microsoft windows server 2012