var-199912-0194
Vulnerability from variot
IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. IIS accepts escaped characters that are not valid hexadecimal digits. All webservers that are compliant with RFC 1738 accept hexadecimal digits that are preceded by a percent sign, but IIS will also accept invalid hex digits and translate some of them into valid ASCII characters. This provides a third means of constructing URLs (plaintext, valid hex, and invalid hex) that may be used to bypass third-party access control mechanisms and intrusion detection systems. This issue does not provide a means of compromising the IIS server itself
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-199912-0194",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "internet information server",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "site server commerce",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "3.0"
},
{
"model": "site server",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "3.0"
},
{
"model": "iis",
"scope": "eq",
"trust": 1.1,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "site server commerce edition i386",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "3.0"
},
{
"model": "site server commerce edition alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "3.0"
}
],
"sources": [
{
"db": "BID",
"id": "886"
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:microsoft:iis",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Reported to Microsoft by the ACROS Security Team and publicized in a Microsoft Security Bulletin released December 21, 1999.",
"sources": [
{
"db": "BID",
"id": "886"
}
],
"trust": 0.3
},
"cve": "CVE-2000-0024",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2000-0024",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2000-0024",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2000-0024",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-199912-069",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the \"Escape Character Parsing\" vulnerability. IIS accepts escaped characters that are not valid hexadecimal digits. All webservers that are compliant with RFC 1738 accept hexadecimal digits that are preceded by a percent sign, but IIS will also accept invalid hex digits and translate some of them into valid ASCII characters. This provides a third means of constructing URLs (plaintext, valid hex, and invalid hex) that may be used to bypass third-party access control mechanisms and intrusion detection systems. This issue does not provide a means of compromising the IIS server itself",
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0024"
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "BID",
"id": "886"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2000-0024",
"trust": 2.4
},
{
"db": "BID",
"id": "886",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054",
"trust": 0.8
},
{
"db": "MS",
"id": "MS99-061",
"trust": 0.6
},
{
"db": "MSKB",
"id": "Q246401",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "886"
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"id": "VAR-199912-0194",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2024-11-22T23:10:45.857000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "MS99-061",
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/ms99-061.mspx"
},
{
"title": "MS99-061",
"trust": 0.8,
"url": "http://www.microsoft.com/japan/technet/security/bulletin/ms99-061.mspx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.acrossecurity.com/aspr/aspr-1999-11-10-1-pub.txt"
},
{
"trust": 2.0,
"url": "http://support.microsoft.com/default.aspx?scid=kb%3b%5bln%5d%3bq246401"
},
{
"trust": 2.0,
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-061"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0024"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0024"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/886"
},
{
"trust": 0.6,
"url": "http://support.microsoft.com/default.aspx?scid=kb;%5bln%5d;q246401"
},
{
"trust": 0.6,
"url": "http://www.microsoft.com/technet/security/bulletin/ms99-061.asp"
},
{
"trust": 0.3,
"url": "http://www.microsoft.com/technet/security/bulletin/fq99-061.asp"
}
],
"sources": [
{
"db": "BID",
"id": "886"
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "886"
},
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "1999-12-21T00:00:00",
"db": "BID",
"id": "886"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"date": "1999-12-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"date": "1999-12-21T05:00:00",
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "1999-12-21T00:00:00",
"db": "BID",
"id": "886"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-1999-000054"
},
{
"date": "2005-10-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199912-069"
},
{
"date": "2024-11-20T23:31:33.050000",
"db": "NVD",
"id": "CVE-2000-0024"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Microsoft IIS Authentication avoidance vulnerability in handling escape characters",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-1999-000054"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "unknown",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199912-069"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.