CVE-2015-1648 - OpenCVE

ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the customErrors configuration is disabled, allows remote attackers to obtain sensitive configuration-file information via a crafted request, aka "ASP.NET Information Disclosure Vulnerability."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:H/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	.net Framework

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:.net_framework:1.1:sp1::::::
	cpe:2.3:a:microsoft:.net_framework:2.0:sp2::::::
	cpe:2.3:a:microsoft:.net_framework:3.5:::::::*
	cpe:2.3:a:microsoft:.net_framework:3.5.1:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.0:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.5:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.5.1:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.5.2:::::::*

No data.

References

Link	Providers
http://www.securitytracker.com/id/1032116
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-041

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2015-04-14T20:00:00

Updated: 2024-08-06T04:47:17.500Z

Reserved: 2015-02-17T00:00:00

Link: CVE-2015-1648

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-04-14T20:59:10.827

Modified: 2018-10-12T22:08:35.680

Link: CVE-2015-1648

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-14T00:00:00", "descriptions": [{"lang": "en", "value": "ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the customErrors configuration is disabled, allows remote attackers to obtain sensitive configuration-file information via a crafted request, aka \"ASP.NET Information Disclosure Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-12T19:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "MS15-041", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-041"}, {"name": "1032116", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032116"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2015-1648", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the customErrors configuration is disabled, allows remote attackers to obtain sensitive configuration-file information via a crafted request, aka \"ASP.NET Information Disclosure Vulnerability.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "MS15-041", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-041"}, {"name": "1032116", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032116"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:47:17.500Z"}, "title": "CVE Program Container", "references": [{"name": "MS15-041", "tags": ["vendor-advisory", "x_refsource_MS", "x_transferred"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-041"}, {"name": "1032116", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1032116"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2015-1648", "datePublished": "2015-04-14T20:00:00", "dateReserved": "2015-02-17T00:00:00", "dateUpdated": "2024-08-06T04:47:17.500Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "0BF6AE15-EAC3-4100-A742-211026C79CCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "42A6DF09-B8E1-414D-97E7-453566055279", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "E039CE1F-B988-4741-AE2E-5B36E2AF9688", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "8EDC4407-7E92-4E60-82F0-0C87D1860D3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "792B417F-96A0-4E9D-9E79-5D7F982E2225", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "61FAD9EE-FA7F-4B39-8A9B-AFFAEC8BF214", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "299DBEAE-1829-47A9-B09E-4AF327831B69", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "40B3A045-B08A-44E0-91BE-726753F6A362", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the customErrors configuration is disabled, allows remote attackers to obtain sensitive configuration-file information via a crafted request, aka \"ASP.NET Information Disclosure Vulnerability.\""}, {"lang": "es", "value": "ASP.NET en Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, y 4.5.2, cuando la configuraci\u00f3n customErrors est\u00e1 deshabilitada, permite a atacantes remotos obtener informaci\u00f3n sensible de los ficheros de configuraci\u00f3n a trav\u00e9s de una solicitud manipulada, tambi\u00e9n conocido como 'vulnerabilidad de la divulgaci\u00f3n de informaci\u00f3n de ASP.NET.'"}], "id": "CVE-2015-1648", "lastModified": "2018-10-12T22:08:35.680", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-04-14T20:59:10.827", "references": [{"source": "secure@microsoft.com", "url": "http://www.securitytracker.com/id/1032116"}, {"source": "secure@microsoft.com", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-041"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-19"}], "source": "nvd@nist.gov", "type": "Primary"}]}