CVE-2009-2495

CVSS V2 High 7.8 CVSS V3 None
Description
The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability."
Overview
  • CVE ID
  • CVE-2009-2495
  • Assigner
  • secure@microsoft.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2009-07-29T17:30:01
  • Last Modified Date
  • 2018-10-12T21:51:46
Weakness Enumerations
CWE URL
CWE-200 http://cwe.mitre.org/data/definitions/200.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:microsoft:visual_c\+\+:2005:sp1_redistribution_pkg:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_c\+\+:2008:redistribution_pkg:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_c\+\+:2008:sp1_redistribution_pkg:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_studio:2005:sp1:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_studio:2005:sp1:64_bit_hosted_visual_c\+\+_tools:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_studio:2008:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_studio:2008:sp1:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:C/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 7.8
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.9
References
Reference URL Reference Tags
http://www.vupen.com/english/advisories/2009/2034
http://www.adobe.com/support/security/bulletins/apsb09-13.html
http://secunia.com/advisories/36374
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://www.us-cert.gov/cas/techalerts/TA09-195A.html US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-286A.html US Government Resource
http://marc.info/?l=bugtraq&m=126592505426855&w=2
http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1
http://secunia.com/advisories/36746
http://secunia.com/advisories/35967
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7573
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6478
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6305
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2009-2495
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2495
History
Created Old Value New Value Data Type Notes
2022-05-10 18:24:47 Added to TrackCVE