Unrated severityNVD Advisory· Published Sep 22, 2010· Updated Apr 29, 2026

CVE-2010-3332

Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Affected products

Microsoft/.net Framework7 versions
cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.0:-:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070nvdPatchVendor Advisory
www.mono-project.com/VulnerabilitiesnvdExploitThird Party Advisory
www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.htmlnvdExploitThird Party Advisory
blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspxnvdVendor Advisory
isc.sans.edu/diary.htmlnvdThird Party Advisory
pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/nvdThird Party Advisory
secunia.com/advisories/41409nvdThird Party Advisory
securitytracker.com/idnvdThird Party AdvisoryVDB Entry
threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310nvdThird Party Advisory
weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspxnvdMitigationThird Party Advisory
www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspxnvdThird Party Advisory
www.securityfocus.com/bid/43316nvdThird Party AdvisoryVDB Entry
www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-securitynvdThird Party Advisory
www.vupen.com/english/advisories/2010/2429nvdThird Party Advisory
www.vupen.com/english/advisories/2010/2751nvdThird Party Advisory
exchange.xforce.ibmcloud.com/vulnerabilities/61898nvdThird Party AdvisoryVDB Entry
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365nvdThird Party Advisory
twitter.com/thaidn/statuses/24832350146nvdBroken Link
www.ekoparty.org/juliano-rizzo-2010.phpnvdBroken Link
www.microsoft.com/technet/security/advisory/2416728.mspxnvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.067
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000