ID CVE-2016-7270
Summary The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka ".NET Information Disclosure Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 12-10-2018 - 22:14)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
msbulletin via4
bulletin_id MS16-155
bulletin_url
date 2016-12-13T00:00:00
impact Information Disclosure
knowledgebase_id 3205640
knowledgebase_url
severity Important
title Security Update for .NET Framework
refmap via4
bid 94741
sectrack 1037455
Last major update 12-10-2018 - 22:14
Published 20-12-2016 - 06:59
Last modified 12-10-2018 - 22:14
Back to Top