CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.2%
Microsoft ASP.NET contains a canonicalization vulnerability that may allow a remote unauthenticated attacker to gain access to secure contents.
Microsoft ASP.NET is a programming framework for creating web applications. The canonicalization routine used by ASP.NET fails to correctly parse URLs.
Depending on the contents of the web site, an attacker may take a variety of actions. For example, a remote unauthenticated attacker may be able to access secure web site contents by using a specially crafted URL.
Install an update
Install an update, as specified by MS05-004.
Workarounds
Microsoft includes the following workarounds in MS05-004:
* Install an HTTP module to check for canonicalization issues as described in Microsoft Knowledge Base article [87289](<http://support.microsoft.com/kb/887289>).
* Test for canonicalization issues with ASP.NET as described in Microsoft Knowledge Base article [887459](<http://support.microsoft.com/kb/887459>).
* Install and use [URLScan](<http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp>).
283646
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 17, 2005
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see the Avaya Security Advisory.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23283646 Feedback>).
Updated: February 08, 2005
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MS05-004.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23283646 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly disclosed by Toby Beaumont.
This document was written by Will Dormann.
CVE IDs: | CVE-2004-0847 |
---|---|
Severity Metric: | 37.97 Date Public: |
archives.neohapsis.com/archives/ntbugtraq/2004-q3/0221.html
secunia.com/advisories/12749/
securitytracker.com/alerts/2004/Oct/1011559.html
securitytracker.com/alerts/2005/Feb/1013109.html
support.microsoft.com/kb/887289
support.microsoft.com/kb/887459
www.microsoft.com/protect/computer/updates/bulletins/200710.mspx
www.microsoft.com/technet/security/bulletin/ms05-004.mspx
www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
www.securityfocus.com/bid/11342
xforce.iss.net/xforce/xfdb/17644
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.2%