CVE-2011-3417 : The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Fram

The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0, when sliding expiry is enabled, does not properly handle cached content, which allows remote attackers to obtain access to arbitrary user accounts via a crafted URL, aka "ASP.NET Forms Authentication Ticket Caching Vulnerability."

Published 2011-12-30 01:55:01

Updated 2023-12-07 18:38:57

Source Microsoft Corporation

View at NVD, CVE.org

Products affected by CVE-2011-3417

Microsoft » Windows Xp » Update SP2 Professional X64 Edition
cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Version: SP3 Update Unknown English Edition
cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2003 » Update SP2
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Vista » Update SP2
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Vista » Version: N/A Update SP2
cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Update R2 X64 Edition
cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Update SP2 Itanium Edition
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Version: N/A Update SP2 X86 Edition
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Version: N/A Update SP2 X64 Edition
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2008 » Version: R2 Itanium Edition
cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*
Matching versions
Microsoft » Windows 7 » Version: N/A
cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 7 » Version: N/A Update SP1 X86 Edition
cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*
Matching versions
Microsoft » Windows 7 » Version: N/A Update SP1 X64 Edition
cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-3417

EPSS FAQ

64.98%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-3417

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2011-3417

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-3417

http://www.securityfocus.com/bid/51203

Microsoft .NET Framework ASP.NET Forms CVE-2011-3417 Security Bypass Vulnerability
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100

Microsoft Security Bulletin MS11-100 - Critical | Microsoft Docs

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14625

Repository / Oval Repository
http://www.us-cert.gov/cas/techalerts/TA11-347A.html

Microsoft Updates for Multiple Vulnerabilities | CISA
US Government Resource

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2011-3417

Products affected by CVE-2011-3417

Exploit prediction scoring system (EPSS) score for CVE-2011-3417

CVSS scores for CVE-2011-3417

CWE ids for CVE-2011-3417

References for CVE-2011-3417