Vulnerability Description
ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | .Net Framework | 2.0 |
| Microsoft | Windows Server 2008 | - |
| Microsoft | Windows Vista | All versions |
Related Weaknesses (CWE)
References
- http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-serviVendor Advisory
- http://osvdb.org/56905Broken Link
- http://secunia.com/advisories/36127Third Party Advisory
- http://www.securityfocus.com/bid/35985PatchThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1022715Third Party AdvisoryVDB Entry
- http://www.us-cert.gov/cas/techalerts/TA09-223A.htmlThird Party AdvisoryUS Government Resource
- http://www.vupen.com/english/advisories/2009/2231Permissions RequiredThird Party Advisory
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-03
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Third Party Advisory
- http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-serviVendor Advisory
- http://osvdb.org/56905Broken Link
- http://secunia.com/advisories/36127Third Party Advisory
- http://www.securityfocus.com/bid/35985PatchThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1022715Third Party AdvisoryVDB Entry
- http://www.us-cert.gov/cas/techalerts/TA09-223A.htmlThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2009-1536?
CVE-2009-1536 is a vulnerability with a CVSS score of 2.6 (LOW). ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers...
How severe is CVE-2009-1536?
CVE-2009-1536 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-1536?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft .Net Framework, Microsoft Windows Server 2008, Microsoft Windows Vista.