CVE-2009-1536 (GCVE-0-2009-1536)
Vulnerability from cvelistv5
Published
2009-08-12 17:00
Modified
2024-08-07 05:13
Severity ?
CWE
  • n/a
Summary
ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."
References
secure@microsoft.com http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx Vendor Advisory
secure@microsoft.com http://osvdb.org/56905 Broken Link
secure@microsoft.com http://secunia.com/advisories/36127 Third Party Advisory
secure@microsoft.com http://www.securityfocus.com/bid/35985 Patch, Third Party Advisory, VDB Entry
secure@microsoft.com http://www.securitytracker.com/id?1022715 Third Party Advisory, VDB Entry
secure@microsoft.com http://www.us-cert.gov/cas/techalerts/TA09-223A.html Third Party Advisory, US Government Resource
secure@microsoft.com http://www.vupen.com/english/advisories/2009/2231 Permissions Required, Third Party Advisory
secure@microsoft.com https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036
secure@microsoft.com https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393 Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://osvdb.org/56905 Broken Link
af854a3a-2127-422b-91ae-364da2661108 http://secunia.com/advisories/36127 Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.securityfocus.com/bid/35985 Patch, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 http://www.securitytracker.com/id?1022715 Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 http://www.us-cert.gov/cas/techalerts/TA09-223A.html Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108 http://www.vupen.com/english/advisories/2009/2231 Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036
af854a3a-2127-422b-91ae-364da2661108 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393 Third Party Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:13:25.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "oval:org.mitre.oval:def:6393",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393"
          },
          {
            "name": "TA09-223A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
          },
          {
            "name": "ADV-2009-2231",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2009/2231"
          },
          {
            "name": "36127",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/36127"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx"
          },
          {
            "name": "MS09-036",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036"
          },
          {
            "name": "1022715",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1022715"
          },
          {
            "name": "56905",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/56905"
          },
          {
            "name": "35985",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/35985"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka \"Remote Unauthenticated Denial of Service in ASP.NET Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "oval:org.mitre.oval:def:6393",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393"
        },
        {
          "name": "TA09-223A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
        },
        {
          "name": "ADV-2009-2231",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2009/2231"
        },
        {
          "name": "36127",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/36127"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx"
        },
        {
          "name": "MS09-036",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036"
        },
        {
          "name": "1022715",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1022715"
        },
        {
          "name": "56905",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/56905"
        },
        {
          "name": "35985",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/35985"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2009-1536",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka \"Remote Unauthenticated Denial of Service in ASP.NET Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "oval:org.mitre.oval:def:6393",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393"
            },
            {
              "name": "TA09-223A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
            },
            {
              "name": "ADV-2009-2231",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2009/2231"
            },
            {
              "name": "36127",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/36127"
            },
            {
              "name": "http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx",
              "refsource": "MISC",
              "url": "http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx"
            },
            {
              "name": "MS09-036",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036"
            },
            {
              "name": "1022715",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1022715"
            },
            {
              "name": "56905",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/56905"
            },
            {
              "name": "35985",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/35985"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2009-1536",
    "datePublished": "2009-08-12T17:00:00",
    "dateReserved": "2009-05-05T00:00:00",
    "dateUpdated": "2024-08-07T05:13:25.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-1536\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2009-08-12T17:30:00.547\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka \\\"Remote Unauthenticated Denial of Service in ASP.NET Vulnerability.\\\"\"},{\"lang\":\"es\",\"value\":\"ASP.NET en Microsoft .NET Framework v2.0 SP1 y SP2 y v3.5 Gold y SP1, cuando ASP 2.0 es usado en modo integrado sobre IIS v7.0, no administra adecuadamente las peticiones de planificaci\u00f3n, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (parada de demonio) a trav\u00e9s de una serie de peticiones HTTP manipuladas, tambi\u00e9n conocida como \\\"Vulnerabilidad de denegaci\u00f3n de servicio remota no autenticada en ASP.NET\\\".\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:N/I:N/A:P\",\"baseScore\":2.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":4.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F97EB992-2DC1-4E31-A298-072D8313130B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"42A6DF09-B8E1-414D-97E7-453566055279\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E039CE1F-B988-4741-AE2E-5B36E2AF9688\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:.net_framework:3.5:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C610747-93E5-4014-8ED2-47F333174832\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32623D48-7000-4C7D-823F-7D2A9841D88C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3852BB02-47A1-40B3-8E32-8D8891A53114\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A04E39A-623E-45CA-A5FC-25DAA0F275A3\"}]}]}],\"references\":[{\"url\":\"http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://osvdb.org/56905\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36127\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/35985\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id?1022715\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.us-cert.gov/cas/techalerts/TA09-223A.html\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.vupen.com/english/advisories/2009/2231\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036\",\"source\":\"secure@microsoft.com\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://osvdb.org/56905\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36127\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/35985\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id?1022715\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.us-cert.gov/cas/techalerts/TA09-223A.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.vupen.com/english/advisories/2009/2231\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.