CVE-2009-1536

high

Description

ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036

http://www.vupen.com/english/advisories/2009/2231

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.securitytracker.com/id?1022715

http://www.securityfocus.com/bid/35985

http://secunia.com/advisories/36127

http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx

Details

Source: Mitre, NVD

Published: 2009-08-12

Updated: 2018-10-12

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

Severity: Low

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High