CVE-2013-3171 - OpenCVE

The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka "Delegate Serialization Vulnerability."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	.net Framework

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:.net_framework:2.0:sp2::::::
	cpe:2.3:a:microsoft:.net_framework:3.5:::::::*
	cpe:2.3:a:microsoft:.net_framework:3.5:sp1::::::
	cpe:2.3:a:microsoft:.net_framework:3.5.1:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.0:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.5:::::::*

No data.

References

Link	Providers
http://www.us-cert.gov/ncas/alerts/TA13-190A
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2013-07-10T01:00:00

Updated: 2024-08-06T16:00:10.161Z

Reserved: 2013-04-17T00:00:00

Link: CVE-2013-3171

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-07-10T03:46:10.590

Modified: 2018-10-12T22:04:43.257

Link: CVE-2013-3171

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-09T00:00:00", "descriptions": [{"lang": "en", "value": "The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka \"Delegate Serialization Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-12T19:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "oval:org.mitre.oval:def:16867", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867"}, {"name": "MS13-052", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052"}, {"name": "TA13-190A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-190A"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2013-3171", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka \"Delegate Serialization Vulnerability.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "oval:org.mitre.oval:def:16867", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867"}, {"name": "MS13-052", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052"}, {"name": "TA13-190A", "refsource": "CERT", "url": "http://www.us-cert.gov/ncas/alerts/TA13-190A"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:00:10.161Z"}, "title": "CVE Program Container", "references": [{"name": "oval:org.mitre.oval:def:16867", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867"}, {"name": "MS13-052", "tags": ["vendor-advisory", "x_refsource_MS", "x_transferred"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052"}, {"name": "TA13-190A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-190A"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2013-3171", "datePublished": "2013-07-10T01:00:00", "dateReserved": "2013-04-17T00:00:00", "dateUpdated": "2024-08-06T16:00:10.161Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "42A6DF09-B8E1-414D-97E7-453566055279", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "E039CE1F-B988-4741-AE2E-5B36E2AF9688", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5:sp1:*:*:*:*:*:*", "matchCriteriaId": "0C610747-93E5-4014-8ED2-47F333174832", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "8EDC4407-7E92-4E60-82F0-0C87D1860D3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "792B417F-96A0-4E9D-9E79-5D7F982E2225", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "61FAD9EE-FA7F-4B39-8A9B-AFFAEC8BF214", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka \"Delegate Serialization Vulnerability.\""}, {"lang": "es", "value": "La funcionalidad de serializaci\u00f3n en Microsoft .NET Framework v2.0 SP2, v3.5, v3.5 SP1, v3.5.1, v4, y v4.5 no comprueba correctamente los permisos de un objeto delegado, , lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de (1) una aplicaci\u00f3n de navegador XAML manipulada (XBAP) o (2) una aplicaci\u00f3n .NET Framework modificada que aprovecha una relaci\u00f3n de confianza parcial, tambi\u00e9n conocido como \"Delegate Serialization Vulnerability.\""}], "id": "CVE-2013-3171", "lastModified": "2018-10-12T22:04:43.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-07-10T03:46:10.590", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-190A"}, {"source": "secure@microsoft.com", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052"}, {"source": "secure@microsoft.com", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}