[Japanese]

JVNDB-2011-000041

Microsoft MSXML vulnerability in HTTP request processing

Overview

MSXML provided by Microsoft contains a vulnerability in the processing of HTTP requests.

MSXML provided by Microsoft contains a vulnerability where HTTP requests for XMLHTTP objects are not processed properly. As a result, when going through a proxy server, information may be sent to another server.

Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


Microsoft Corporation
  • Microsoft XML Core Service MSXML3 Service Pack 7 and earlier
  • Microsoft XML Core Service MSXML6 Initial Release

Internet Explorer (IE) and other web browsers that contain the above IE components may be vulnerable. For more details, please refer to the information provided by the developer.
Impact

When going through a proxy server, information such as authentication credentials or cookies may be leaked.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#73643130
Revision History

[2011/06/16]
  Web page published

Date Public2011/06/15
Date First Published2011/06/16
Date Last Updated2011/06/16