Microsoft .NET CVE-2016-3255 Information Disclosure Vulnerability

Description

An information disclosure vulnerability exists when .NET Framework improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity declaration. To exploit the vulnerability, an attacker could create specially crafted XML data and induce an application to parse and validate the XML data. For example, an attacker could create an XML file and upload it to a web-based application. The update addresses the vulnerability by modifying the way that the XML External Entity (XXE) parser parses XML input.

Affected Applications

Microsoft .NET Framework 4.6 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows RT 8.1
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows Vista x64 Edition Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.6 on Windows Vista x64 Edition Service Pack 2
Windows 8
Windows Server 2008
Windows 10
Windows 7
Windows Server 2012
Microsoft .NET Framework 4.6/4.6.1 on Windows RT 8.1

CVE References

Other References