CVE-2016-7270 - The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied k

CVE-2016-7270

Summary

The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka ".NET Information Disclosure Vulnerability."

References

Vulnerable Configurations

cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 12-10-2018 - 22:14)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

msbulletin via4

bulletin_id	MS16-155
bulletin_url
date	2016-12-13T00:00:00
impact	Information Disclosure
knowledgebase_id	3205640
knowledgebase_url
severity	Important
title	Security Update for .NET Framework

refmap via4

bid	94741
sectrack	1037455

Last major update

12-10-2018 - 22:14

Published

20-12-2016 - 06:59

Last modified

12-10-2018 - 22:14