Sign-up

ID

VAR-201411-0146


CVE

CVE-2014-4078


TITLE

Microsoft IIS of IP Vulnerability to bypass ruleset of wildcard domain restriction in security function

Trust: 0.8

sources: JVNDB: JVNDB-2014-005399

DESCRIPTION

The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule set via an HTTP request, aka "IIS Security Feature Bypass Vulnerability.". Microsoft Internet Information Services is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized access; this may aid in launching further attacks. The title has been changed to better reflect the vulnerability information

Trust: 1.98

sources: NVD: CVE-2014-4078 // JVNDB: JVNDB-2014-005399 // BID: 70937 // VULMON: CVE-2014-4078

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information servicesscope:eqversion:8.5

Trust: 1.6

vendor:microsoftmodel:internet information servicesscope:eqversion:8.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:8.0 (microsoft windows 8 for 32-bit systems)

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:8.0 (microsoft windows 8 for x64-based systems)

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:8.0 (microsoft windows server 2012 for x64-based systems)

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:8.5 (microsoft windows 8.1 for 32-bit systems)

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:8.5 (microsoft windows 8.1 for x64-based systems)

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:8.5 (microsoft windows server 2012 r2 for x64-based systems)

Trust: 0.8

vendor:microsoftmodel:internet explorerscope:eqversion:11

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:8.5

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:8.0

Trust: 0.3

sources: BID: 70937 // JVNDB: JVNDB-2014-005399 // CNNVD: CNNVD-201411-129 // NVD: CVE-2014-4078

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4078
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4078
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201411-129
value: MEDIUM

Trust: 0.6

VULMON: CVE-2014-4078
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-4078
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

sources: VULMON: CVE-2014-4078 // JVNDB: JVNDB-2014-005399 // CNNVD: CNNVD-201411-129 // NVD: CVE-2014-4078

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-005399 // NVD: CVE-2014-4078

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-129

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201411-129

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005399

PATCH
title:MS14-076url:https://technet.microsoft.com/en-us/library/security/ms14-076.aspx
Trust: 0.8
title:Assessing Risk for the November 2014 Security Updatesurl:http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx
Trust: 0.8
title:MS14-076url:https://technet.microsoft.com/ja-jp/library/security/ms14-076.aspx
Trust: 0.8
title:For  x64 Systematic  Windows 8.1 Security update  (KB2982998)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52372
Trust: 0.6
title:Windows 8.1 Security update  (KB2982998)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52371
Trust: 0.6
title:For  x64 Systematic  Windows 8 Security update  (KB2982998)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52370
Trust: 0.6
title:Windows 8 Security update  (KB2982998)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52369
Trust: 0.6
title: - url:https://github.com/burakd81/bsvg 
Trust: 0.1
title:C844url:https://github.com/aRustyDev/C844 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-4078 // 
            
            
            
            JVNDB: JVNDB-2014-005399 // 
            
            
            
            CNNVD: CNNVD-201411-129

EXTERNAL IDS
db:NVDid:CVE-2014-4078
Trust: 2.8
db:BIDid:70937
Trust: 1.4
db:SECTRACKid:1031194
Trust: 1.1
db:JVNDBid:JVNDB-2014-005399
Trust: 0.8
db:CNNVDid:CNNVD-201411-129
Trust: 0.6
db:VULMONid:CVE-2014-4078
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-4078 // 
            
            
            
            BID: 70937 // 
            
            
            
            JVNDB: JVNDB-2014-005399 // 
            
            
            
            CNNVD: CNNVD-201411-129 // 
            
            
            
            NVD: CVE-2014-4078

REFERENCES
url:http://www.securityfocus.com/bid/70937
Trust: 1.2
url:http://www.securitytracker.com/id/1031194
Trust: 1.1
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-076
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4078
Trust: 0.8
url:http://www.ipa.go.jp/security/ciadr/vul/20141112-ms.html
Trust: 0.8
url:http://www.jpcert.or.jp/at/2014/at140045.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4078
Trust: 0.8
url:http://www.npa.go.jp/cyberpolice/topics/?seq=14926
Trust: 0.8
url:http://technet.microsoft.com/security/bulletin/ms14-076
Trust: 0.6
url:http://www.microsoft.com
Trust: 0.3
url:https://technet.microsoft.com/en-us/library/security/ms14-051
Trust: 0.3
url:http://technet.microsoft.com/en-us/security/bulletin/ms14-076
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/264.html
Trust: 0.1
url:https://github.com/burakd81/bsvg
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/70937
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-4078 // 
            
            
            
            BID: 70937 // 
            
            
            
            JVNDB: JVNDB-2014-005399 // 
            
            
            
            CNNVD: CNNVD-201411-129 // 
            
            
            
            NVD: CVE-2014-4078

CREDITS
Microsoft
Trust: 0.3
sources:
            
            
            BID: 70937

SOURCES
db:VULMONid:CVE-2014-4078
db:BIDid:70937
db:JVNDBid:JVNDB-2014-005399
db:CNNVDid:CNNVD-201411-129
db:NVDid:CVE-2014-4078

LAST UPDATE DATE
2024-11-23T22:18:32.722000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2014-4078date:2018-10-12T00:00:00
db:BIDid:70937date:2018-02-09T11:00:00
db:JVNDBid:JVNDB-2014-005399date:2015-01-09T00:00:00
db:CNNVDid:CNNVD-201411-129date:2014-11-14T00:00:00
db:NVDid:CVE-2014-4078date:2024-11-21T02:09:27.917

SOURCES RELEASE DATE
db:VULMONid:CVE-2014-4078date:2014-11-11T00:00:00
db:BIDid:70937date:2014-11-11T00:00:00
db:JVNDBid:JVNDB-2014-005399date:2014-11-13T00:00:00
db:CNNVDid:CNNVD-201411-129date:2014-11-14T00:00:00
db:NVDid:CVE-2014-4078date:2014-11-11T22:55:04.670