ID

VAR-201801-1126


CVE

CVE-2018-0784


TITLE

ASP.NET Core Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2018-001241

DESCRIPTION

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0808. This vulnerability CVE-2018-0808 Is a different vulnerability.Your privilege may be elevated. Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation of the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. An attacker could use this vulnerability to perform a content injection attack and execute a script in the current user's security context. An attacker can exploit this issue to gain elevated privileges

Trust: 2.97

sources: NVD: CVE-2018-0784 // JVNDB: JVNDB-2018-001241 // CNVD: CNVD-2018-00899 // CNNVD: CNNVD-201801-406 // BID: 102377

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-00899

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:2.0

Trust: 3.3

vendor:microsoftmodel:windows version for 32-bit systemsscope:eqversion:1017030

Trust: 0.3

vendor:microsoftmodel:asp.netscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2018-00899 // BID: 102377 // JVNDB: JVNDB-2018-001241 // CNNVD: CNNVD-201801-406 // NVD: CVE-2018-0784

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0784
value: HIGH

Trust: 1.0

NVD: CVE-2018-0784
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-00899
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201801-406
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-0784
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-00899
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-0784
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-00899 // JVNDB: JVNDB-2018-001241 // CNNVD: CNNVD-201801-406 // NVD: CVE-2018-0784

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2018-001241 // NVD: CVE-2018-0784

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-406

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201801-406

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001241

PATCH

title:CVE-2018-0784 | ASP.NET Core Elevation Of Privilege Vulnerabilityurl:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0784

Trust: 0.8

title:CVE-2018-0784 | ASP.NET Core の特権の昇格の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-0784

Trust: 0.8

title:Patch for Microsoft ASP.NET Core Privilege Escalation Vulnerability (CNVD-2018-00899)url:https://www.cnvd.org.cn/patchInfo/show/113385

Trust: 0.6

title:Microsoft ASP.NET Core Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77661

Trust: 0.6

sources: CNVD: CNVD-2018-00899 // JVNDB: JVNDB-2018-001241 // CNNVD: CNNVD-201801-406

EXTERNAL IDS

db:NVDid:CVE-2018-0784

Trust: 3.3

db:BIDid:102377

Trust: 2.5

db:SECTRACKid:1040151

Trust: 2.2

db:JVNDBid:JVNDB-2018-001241

Trust: 0.8

db:CNVDid:CNVD-2018-00899

Trust: 0.6

db:CNNVDid:CNNVD-201801-406

Trust: 0.6

sources: CNVD: CNVD-2018-00899 // BID: 102377 // JVNDB: JVNDB-2018-001241 // CNNVD: CNNVD-201801-406 // NVD: CVE-2018-0784

REFERENCES

url:http://www.securityfocus.com/bid/102377

Trust: 2.2

url:http://www.securitytracker.com/id/1040151

Trust: 2.2

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-0784

Trust: 1.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0784

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20180110-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180002.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-0784

Trust: 0.8

url:http://www.microsoft.com

Trust: 0.3

sources: CNVD: CNVD-2018-00899 // BID: 102377 // JVNDB: JVNDB-2018-001241 // CNNVD: CNNVD-201801-406 // NVD: CVE-2018-0784

CREDITS

Kévin Chalet

Trust: 0.3

sources: BID: 102377

SOURCES

db:CNVDid:CNVD-2018-00899
db:BIDid:102377
db:JVNDBid:JVNDB-2018-001241
db:CNNVDid:CNNVD-201801-406
db:NVDid:CVE-2018-0784

LAST UPDATE DATE

2024-08-14T13:29:17.425000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-00899date:2018-01-15T00:00:00
db:BIDid:102377date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001241date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201801-406date:2019-10-23T00:00:00
db:NVDid:CVE-2018-0784date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-00899date:2018-01-15T00:00:00
db:BIDid:102377date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001241date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201801-406date:2018-01-11T00:00:00
db:NVDid:CVE-2018-0784date:2018-01-10T01:29:00.243