Vulnerability Name:

CVE-2015-1672 (CCN-102720)

Assigned:2015-05-12
Published:2015-05-12
Updated:2018-10-12
Summary:Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 allows remote attackers to cause a denial of service (recursion and performance degradation) via crafted encrypted data in an XML document, aka ".NET XML Decryption Denial of Service Vulnerability."
<a href="https://cwe.mitre.org/data/definitions/674.html">CWE-674: Uncontrolled Recursion</a>
CVSS v3 Severity:6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-310
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2015-1672

Source: CCN
Type: Microsoft Security Bulletin MS15-048
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134)

Source: CCN
Type: Microsoft Security Bulletin MS16-035
Security Update for .NET Framework to Address Security Feature Bypass (3141780)

Source: BID
Type: Third Party Advisory, VDB Entry
74482

Source: CCN
Type: BID-74482
Microsoft .NET Framework CVE-2015-1672 Remote Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1032297

Source: MS
Type: UNKNOWN
MS15-048

Source: XF
Type: UNKNOWN
ms-dotnet-cve20151672-dos(102720)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_8:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:28739
    V
    		.NET XML decryption denial of service vulnerability - CVE-2015-1672 (MS15-048)
    2015-12-22
    BACK
    microsoft .net framework 2.0 sp2
    microsoft .net framework 3.5
    microsoft .net framework 3.5.1
    microsoft .net framework 4.0
    microsoft .net framework 4.5
    microsoft .net framework 4.5.1
    microsoft .net framework 4.5.2
    microsoft .net framework 1.1 sp1
    microsoft .net framework 2.0 sp2
    microsoft .net framework 3.5
    microsoft .net framework 3.5.1
    microsoft .net framework 4.0
    microsoft .net framework 4.5
    microsoft .net framework 4.5.1
    microsoft .net framework 4.5.2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows vista * sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008
    microsoft windows vista * sp2
    microsoft windows 7 - sp1
    microsoft windows 7 * sp1
    microsoft windows server 2008 r2
    microsoft windows server 2008 r2
    microsoft windows 8 - -
    microsoft windows 8 *
    microsoft windows server 2012
    microsoft windows 8.1 - -
    microsoft windows 8.1 *
    microsoft windows server 2012 r2