CVE-2011-1271 — HIGH (7.7) — White Hats Nepal

Vulnerability Description

The JIT compiler in Microsoft .NET Framework 3.5 Gold and SP1, 3.5.1, and 4.0, when IsJITOptimizerDisabled is false, does not properly handle expressions related to null strings, which allows context-dependent attackers to bypass intended access restrictions, and consequently execute arbitrary code, in opportunistic circumstances by leveraging a crafted application, as demonstrated by (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka ".NET Framework JIT Optimization Vulnerability."

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Microsoft	.Net Framework	4.0
Microsoft	Windows 2003 Server	All versions
Microsoft	Windows 7	-
Microsoft	Windows Server 2003	All versions
Microsoft	Windows Server 2008	All versions
Microsoft	Windows Vista	All versions
Microsoft	Windows Xp	All versions

Related Weaknesses (CWE)

CWE-476 CWE-264

References

FAQ

What is CVE-2011-1271?

CVE-2011-1271 is a vulnerability with a CVSS score of 7.7 (HIGH). The JIT compiler in Microsoft .NET Framework 3.5 Gold and SP1, 3.5.1, and 4.0, when IsJITOptimizerDisabled is false, does not properly handle expressions related to null strings, which allows context-...

How severe is CVE-2011-1271?

CVE-2011-1271 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-1271?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft .Net Framework, Microsoft Windows 2003 Server, Microsoft Windows 7, Microsoft Windows Server 2003, Microsoft Windows Server 2008.