| Vulnerability Name: | CVE-2015-1635 (CCN-101923) | ||||||||
| Assigned: | 2015-04-14 | ||||||||
| Published: | 2015-04-14 | ||||||||
| Updated: | 2019-05-14 | ||||||||
| Summary: | HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability." | ||||||||
| CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) 8.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
7.7 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-94 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2015-1635 Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html Source: CCN Type: Microsoft Security Bulletin MS15-034 Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) Source: OSVDB Type: Broken Link 120629 Source: BID Type: Third Party Advisory, VDB Entry 74013 Source: CCN Type: BID-74013 Microsoft Windows HTTP Protocol Stack CVE-2015-1635 Remote Code Execution Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1032109 Source: MS Type: Patch, Vendor Advisory MS15-034 Source: XF Type: UNKNOWN ms-http-cve20151635-code-exec(101923) Source: CCN Type: Packet Storm Security [04-16-2015] Microsoft Windows HTTP.sys Proof Of Concept Source: CCN Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY KNOWN EXPLOITED VULNERABILITIES CATALOG Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [04-15-2015] Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 36773 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [04-16-2015] Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 36776 Source: CCN Type: Rapid7 Vulnerability and Exploit Database [05-30-2018] MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service Source: CCN Type: Rapid7 Vulnerability and Exploit Database [05-30-2018] MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||