ID

VAR-201803-1622


CVE

CVE-2018-0787


TITLE

ASP.NET Core Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2018-002558

DESCRIPTION

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". The vendor ASP.NET Core As a privilege escalation vulnerability.Your privilege may be elevated. Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation of the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to implement HTML injection attacks to gain elevated permissions. An attacker can exploit this issue to gain elevated privileges

Trust: 2.97

sources: NVD: CVE-2018-0787 // JVNDB: JVNDB-2018-002558 // CNVD: CNVD-2018-06777 // CNNVD: CNNVD-201803-534 // BID: 103282

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-06777

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:2.0

Trust: 3.3

vendor:microsoftmodel:asp.net corescope:eqversion:1.1

Trust: 1.6

vendor:microsoftmodel:asp.net corescope:eqversion:1.0

Trust: 1.6

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0787
value: HIGH

Trust: 1.0

NVD: CVE-2018-0787
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-06777
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201803-534
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-0787
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-06777
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-0787
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-06777 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

PROBLEMTYPE DATA

problemtype:CWE-640

Trust: 1.8

sources: JVNDB: JVNDB-2018-002558 // NVD: CVE-2018-0787

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-534

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201803-534

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002558

PATCH

title:CVE-2018-0787 | ASP.NET Core Elevation of Privilege Vulnerabilityurl:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787

Trust: 0.8

title:CVE-2018-0787 | ASP.NET Core の特権の昇格の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-0787

Trust: 0.8

title:Patch for Microsoft ASP.NET Core Remote Elevation of Privilege Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/124357

Trust: 0.6

title:Microsoft ASP.NET Core Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79183

Trust: 0.6

sources: CNVD: CNVD-2018-06777 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534

EXTERNAL IDS

db:NVDid:CVE-2018-0787

Trust: 3.3

db:BIDid:103282

Trust: 1.9

db:SECTRACKid:1040525

Trust: 1.0

db:JVNDBid:JVNDB-2018-002558

Trust: 0.8

db:CNVDid:CNVD-2018-06777

Trust: 0.6

db:NSFOCUSid:39065

Trust: 0.6

db:CNNVDid:CNNVD-201803-534

Trust: 0.6

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

REFERENCES

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-0787

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2018-0787

Trust: 1.4

url:http://www.securityfocus.com/bid/103282

Trust: 1.0

url:http://www.securitytracker.com/id/1040525

Trust: 1.0

url:https://github.com/aspnet/announcements/issues/295

Trust: 1.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0787

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20180314-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180011.html

Trust: 0.8

url:http://www.nsfocus.net/vulndb/39065

Trust: 0.6

url:http://www.microsoft.com

Trust: 0.3

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

CREDITS

Mikhail Shcherbakov

Trust: 0.3

sources: BID: 103282

SOURCES

db:CNVDid:CNVD-2018-06777
db:BIDid:103282
db:JVNDBid:JVNDB-2018-002558
db:CNNVDid:CNNVD-201803-534
db:NVDid:CVE-2018-0787

LAST UPDATE DATE

2024-08-14T14:20:04.909000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-06777date:2018-03-30T00:00:00
db:BIDid:103282date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-002558date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201803-534date:2018-03-15T00:00:00
db:NVDid:CVE-2018-0787date:2018-04-11T15:07:12.833

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-06777date:2018-03-30T00:00:00
db:BIDid:103282date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-002558date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201803-534date:2018-03-15T00:00:00
db:NVDid:CVE-2018-0787date:2018-03-14T17:29:00.370