Improper input validation in Microsoft Commercial_internet_system

CVE-1999-0867

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.221 (97.4th percentile) — read the EPSS interpretation.

Affected products

Microsoft Commercial_internet_system — versions 2.0, 2.5
Microsoft Internet_information_server — versions 4.0
Microsoft Site_server — versions 3.0
N/a — versions n/a

Weakness classification (CWE)

CWE-20 — Improper Input Validation

Public proof-of-concept exploits

ARPSyndicate/cve-scores

References

cve@mitre.org (vendor-advisory, x_refsource_MSKB)
cve@mitre.org (government-resource, third-party-advisory, x_refsource_CIAC)
cve@mitre.org (x_refsource_MS, vendor-advisory)
cve@mitre.org (vdb-entry, x_refsource_BID)

Frequently asked questions

What is CVE-1999-0867?: CVE-1999-0867 is a vulnerability in Microsoft Commercial_internet_system, classified under Improper Input Validation. Published 1999-08-11.
Is CVE-1999-0867 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.