CVE-2020-1476

EUVD-2020-12350
An elevation of privilege vulnerability exists when ASP.NET or .NET web applications running on IIS improperly allow access to cached files. An attacker who successfully exploited this vulnerability could gain access to restricted files.
To exploit this vulnerability, an attacker would need to send a specially crafted request to an affected server.
The update addresses the vulnerability by changing how ASP.NET and .NET handle requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
microsoft.net_framework
2.0:sp2
microsoft.net_framework
3.5
microsoft.net_framework
3.5
microsoft.net_framework
4.6.2
microsoft.net_framework
4.7
microsoft.net_framework
4.7.1
microsoft.net_framework
4.7.2
microsoft.net_framework
3.5
microsoft.net_framework
4.6
microsoft.net_framework
4.6.1
microsoft.net_framework
4.6.2
microsoft.net_framework
3.5
microsoft.net_framework
4.7.1
microsoft.net_framework
4.7.2
microsoft.net_framework
3.5
microsoft.net_framework
4.7.2
microsoft.net_framework
3.5
microsoft.net_framework
4.8
microsoft.net_framework
3.5.1
microsoft.net_framework
4.5.2
microsoft.net_framework
4.6
microsoft.net_framework
4.6
microsoft.net_framework
4.6.1
microsoft.net_framework
4.6.2
microsoft.net_framework
4.7
microsoft.net_framework
4.7.1
microsoft.net_framework
4.7.2
microsoft.net_framework
4.8
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
(x64, x86)
KB4571692
1607 (x64, x86)
KB4569746
1607 (x64, x86)
KB4571694
1709 (arm64, x64, x86)
KB4571741
1709 (x64, x86)
KB4569748
1803 (arm64, x64, x86)
KB4571709
1803 (x64, x86)
KB4569749
1809 (arm64, x64, x64, x86, x86)
KB4570505
1903 (arm64, x64, x86)
KB4569751
1909 (arm64, x64, x86)
KB4569751
2004 (arm64, x64, x86)
KB4569745
Windows 7
Service Pack 1 (x64, x64, x64, x64, x86, x86, x86, x86)
KB4570506
Windows 8.1
(x64, x64, x64, x64, x86, x86, x86, x86)
KB4570508
(x64, x86)
KB4570502
Windows RT 8.1
All
KB4570508
Windows Server
1903 Server Core
KB4569751
1909 Server Core
KB4569751
2004 Server Core
KB4569745
Windows Server 2008
Service Pack 2 (x64, x64, x64, x86, x86, x86)
KB4570509
Windows Server 2008 R2
Service Pack 1 (x64, x64, x64, x64)
KB4570506
Service Pack 1 Server Core (x64, x64, x64)
KB4570506
Windows Server 2012
Server Core
KB4570507
Standard
KB4570507
Windows Server 2012 R2
Server Core
KB4570508
Server Core
KB4570502
Standard
KB4570508
Standard
KB4570502
Windows Server 2016
Server Core
KB4569746
Server Core
KB4571694
Standard
KB4569746
Standard
KB4571694
Windows Server 2019
Server Core
KB4570505
Standard
KB4570505
References
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1476
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1476