Details of VAR-201803-1622

ID

VAR-201803-1622

CVE

CVE-2018-0787

TITLE

ASP.NET Core Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2018-002558

DESCRIPTION

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". The vendor ASP.NET Core As a privilege escalation vulnerability.Your privilege may be elevated. Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation of the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to implement HTML injection attacks to gain elevated permissions. An attacker can exploit this issue to gain elevated privileges

Trust: 2.97

sources: NVD: CVE-2018-0787 // JVNDB: JVNDB-2018-002558 // CNVD: CNVD-2018-06777 // CNNVD: CNNVD-201803-534 // BID: 103282

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-06777

AFFECTED PRODUCTS

vendor:	microsoft	model:	asp.net core	scope:	eq	version:	2.0	Trust: 3.3
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.1	Trust: 1.6
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.0	Trust: 1.6

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0787
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0787
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-06777
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201803-534
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-0787
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-06777
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-0787
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-06777 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

PROBLEMTYPE DATA

problemtype:

CWE-640

Trust: 1.8

sources: JVNDB: JVNDB-2018-002558 // NVD: CVE-2018-0787

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-534

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201803-534

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002558

PATCH

title:	CVE-2018-0787 \| ASP.NET Core Elevation of Privilege Vulnerability	url:	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787	Trust: 0.8
title:	CVE-2018-0787 \| ASP.NET Core の特権の昇格の脆弱性	url:	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-0787	Trust: 0.8
title:	Patch for Microsoft ASP.NET Core Remote Elevation of Privilege Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/124357	Trust: 0.6
title:	Microsoft ASP.NET Core Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79183	Trust: 0.6

sources: CNVD: CNVD-2018-06777 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0787	Trust: 3.3
db:	BID	id:	103282	Trust: 1.9
db:	SECTRACK	id:	1040525	Trust: 1.0
db:	JVNDB	id:	JVNDB-2018-002558	Trust: 0.8
db:	CNVD	id:	CNVD-2018-06777	Trust: 0.6
db:	NSFOCUS	id:	39065	Trust: 0.6
db:	CNNVD	id:	CNNVD-201803-534	Trust: 0.6

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-0787	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0787	Trust: 1.4
url:	http://www.securityfocus.com/bid/103282	Trust: 1.0
url:	http://www.securitytracker.com/id/1040525	Trust: 1.0
url:	https://github.com/aspnet/announcements/issues/295	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0787	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20180314-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2018/at180011.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/39065	Trust: 0.6
url:	http://www.microsoft.com	Trust: 0.3

sources: CNVD: CNVD-2018-06777 // BID: 103282 // JVNDB: JVNDB-2018-002558 // CNNVD: CNNVD-201803-534 // NVD: CVE-2018-0787

CREDITS

Mikhail Shcherbakov

Trust: 0.3

sources: BID: 103282

SOURCES

db:	CNVD	id:	CNVD-2018-06777
db:	BID	id:	103282
db:	JVNDB	id:	JVNDB-2018-002558
db:	CNNVD	id:	CNNVD-201803-534
db:	NVD	id:	CVE-2018-0787

LAST UPDATE DATE

2024-08-14T14:20:04.909000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-06777	date:	2018-03-30T00:00:00
db:	BID	id:	103282	date:	2018-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-002558	date:	2018-04-18T00:00:00
db:	CNNVD	id:	CNNVD-201803-534	date:	2018-03-15T00:00:00
db:	NVD	id:	CVE-2018-0787	date:	2018-04-11T15:07:12.833

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-06777	date:	2018-03-30T00:00:00
db:	BID	id:	103282	date:	2018-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-002558	date:	2018-04-18T00:00:00
db:	CNNVD	id:	CNNVD-201803-534	date:	2018-03-15T00:00:00
db:	NVD	id:	CVE-2018-0787	date:	2018-03-14T17:29:00.370