Vulnerability Name:

CVE-2014-4078 (CCN-98338)

Assigned:2014-11-11
Published:2014-11-11
Updated:2018-10-12
Summary:The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule set via an HTTP request, aka "IIS Security Feature Bypass Vulnerability."
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-4078

Source: CCN
Type: Microsoft Security Bulletin MS14-076
Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

Source: BID
Type: UNKNOWN
70937

Source: CCN
Type: BID-70937
Microsoft Internet Information Services CVE-2014-8985 Security Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1031194

Source: MS
Type: UNKNOWN
MS14-076

Source: XF
Type: UNKNOWN
ms-iis-cve20144078-security-bypass(98338)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:internet_information_services:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_information_services:8.5:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:27909
    V
    		IIS Security feature bypass vulnerability - CVE-2014-4078 (MS14-076)
    2014-12-29
    BACK
    microsoft internet information services 8.0
    microsoft internet information services 8.5