Sign-up

ID

VAR-201404-0015


CVE

CVE-2011-5279


TITLE

Windows NT and Windows 2000 Run on Microsoft Internet Information Services In CRLF Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002229

DESCRIPTION

CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. http://cwe.mitre.org/data/definitions/93.htmlBy a third party HTTP In the header \n ( new line ) Through the letters, any uppercase environment variable could be changed

Trust: 1.62

sources: NVD: CVE-2011-5279 // JVNDB: JVNDB-2014-002229

AFFECTED PRODUCTS

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.4

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.4

vendor:microsoftmodel:iisscope:eqversion:5.06

Trust: 1.4

vendor:microsoftmodel:iisscope:eqversion:5.1

Trust: 1.4

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.0

vendor:microsoftmodel:internet information servicesscope:eqversion:4.0

Trust: 1.0

sources: JVNDB: JVNDB-2014-002229 // CNNVD: CNNVD-201404-489 // NVD: CVE-2011-5279

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-5279
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-5279
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-489
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2011-5279
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2011-5279
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

sources: JVNDB: JVNDB-2014-002229 // CNNVD: CNNVD-201404-489 // NVD: CVE-2011-5279

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2014-002229 // NVD: CVE-2011-5279

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-489

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201404-489

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002229

PATCH
title:The Official Microsoft IIS Siteurl:http://www.iis.net/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002229

EXTERNAL IDS
db:NVDid:CVE-2011-5279
Trust: 2.4
db:JVNDBid:JVNDB-2014-002229
Trust: 0.8
db:CNNVDid:CNNVD-201404-489
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-002229 // 
            
            
            
            CNNVD: CNNVD-201404-489 // 
            
            
            
            NVD: CVE-2011-5279

REFERENCES
url:http://seclists.org/fulldisclosure/2014/apr/128
Trust: 2.4
url:http://seclists.org/fulldisclosure/2012/apr/13
Trust: 1.6
url:http://seclists.org/fulldisclosure/2014/apr/108
Trust: 1.6
url:http://seclists.org/fulldisclosure/2012/apr/0
Trust: 1.6
url:http://hi.baidu.com/yuange1975/item/b2cc7141c22108e91e19bc2e
Trust: 1.6
url:http://seclists.org/fulldisclosure/2014/apr/247
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-5279
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-5279
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002229 // 
            
            
            
            CNNVD: CNNVD-201404-489 // 
            
            
            
            NVD: CVE-2011-5279

SOURCES
db:JVNDBid:JVNDB-2014-002229
db:CNNVDid:CNNVD-201404-489
db:NVDid:CVE-2011-5279

LAST UPDATE DATE
2024-08-14T15:24:16.478000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2014-002229date:2014-04-25T00:00:00
db:CNNVDid:CNNVD-201404-489date:2021-08-16T00:00:00
db:NVDid:CVE-2011-5279date:2020-11-23T19:47:14.017

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2014-002229date:2014-04-25T00:00:00
db:CNNVDid:CNNVD-201404-489date:2014-04-25T00:00:00
db:NVDid:CVE-2011-5279date:2014-04-23T20:55:06.623