CVE-2006-1364 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2006-1364?

CVE-2006-1364 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2006-1364?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Asp.Net.

Vulnerability Description

Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Microsoft	Asp.Net	<= 1.1

Related Weaknesses (CWE)

CWE-400

References

http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zipBroken LinkThird Party Advisory
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044291.htmlThird Party Advisory
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044292.htmlThird Party Advisory
http://securitytracker.com/id?1015825Third Party AdvisoryVDB Entry
http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.htmlExploitThird Party Advisory
http://www.securityfocus.com/archive/1/428622/100/0/threaded
http://www.securityfocus.com/bid/17188ExploitThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/25392Third Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/1601ExploitThird Party AdvisoryVDB Entry
http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zipBroken LinkThird Party Advisory
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044291.htmlThird Party Advisory
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044292.htmlThird Party Advisory
http://securitytracker.com/id?1015825Third Party AdvisoryVDB Entry
http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.htmlExploitThird Party Advisory
http://www.securityfocus.com/archive/1/428622/100/0/threaded

FAQ

What is CVE-2006-1364?

CVE-2006-1364 is a vulnerability with a CVSS score of 7.5 (HIGH). Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (...

How severe is CVE-2006-1364?

CVE-2006-1364 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2006-1364?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Asp.Net.