ID

VAR-201807-2080


CVE

CVE-2018-8171


TITLE

ASP.NET Vulnerabilities bypassing security functions

Trust: 0.8

sources: JVNDB: JVNDB-2018-007985

DESCRIPTION

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2. Microsoft ASP.NET is a cross-platform open source framework of Microsoft Corporation. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to make unlimited login requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 2.97

sources: NVD: CVE-2018-8171 // JVNDB: JVNDB-2018-007985 // CNVD: CNVD-2018-15445 // CNNVD: CNNVD-201807-881 // BID: 104659

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-15445

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:1.0

Trust: 3.3

vendor:microsoftmodel:asp.net corescope:eqversion:1.1

Trust: 3.3

vendor:microsoftmodel:asp.net corescope:eqversion:2.0

Trust: 3.3

vendor:microsoftmodel:asp.net mvcscope:eqversion:5.2

Trust: 1.7

vendor:microsoftmodel:asp.net webpagesscope:eqversion:3.2.3

Trust: 1.6

vendor:microsoftmodel:asp.net web pagesscope:eqversion:3.2.3

Trust: 1.1

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:5.2

Trust: 1.0

vendor:microsoftmodel:asp.net corescope:eqversion:5.2

Trust: 0.6

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8171
value: HIGH

Trust: 1.0

NVD: CVE-2018-8171
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-15445
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201807-881
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-8171
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-15445
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-8171
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-15445 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2018-007985 // NVD: CVE-2018-8171

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-881

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201807-881

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007985

PATCH

title:CVE-2018-8171 | ASP.NET Security Feature Bypass Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8171

Trust: 0.8

title:CVE-2018-8171 | ASP.NET のセキュリティ機能のバイパスの脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8171

Trust: 0.8

title:Patch for Microsoft ASP.NET Core Security Bypass Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/137603

Trust: 0.6

title:Microsoft ASP.NET Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81945

Trust: 0.6

sources: CNVD: CNVD-2018-15445 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881

EXTERNAL IDS

db:NVDid:CVE-2018-8171

Trust: 3.3

db:BIDid:104659

Trust: 2.5

db:SECTRACKid:1041267

Trust: 1.6

db:JVNDBid:JVNDB-2018-007985

Trust: 0.8

db:CNVDid:CNVD-2018-15445

Trust: 0.6

db:CNNVDid:CNNVD-201807-881

Trust: 0.6

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

REFERENCES

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8171

Trust: 2.2

url:http://www.securityfocus.com/bid/104659

Trust: 1.6

url:http://www.securitytracker.com/id/1041267

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8171

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20180711-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180028.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-8171

Trust: 0.8

url:http://www.microsoft.com/net/

Trust: 0.3

url:http://www.microsoft.com

Trust: 0.3

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

CREDITS

Martin Knafve

Trust: 0.3

sources: BID: 104659

SOURCES

db:CNVDid:CNVD-2018-15445
db:BIDid:104659
db:JVNDBid:JVNDB-2018-007985
db:CNNVDid:CNNVD-201807-881
db:NVDid:CVE-2018-8171

LAST UPDATE DATE

2024-08-14T14:32:59.267000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-15445date:2018-08-16T00:00:00
db:BIDid:104659date:2018-07-10T00:00:00
db:JVNDBid:JVNDB-2018-007985date:2018-10-04T00:00:00
db:CNNVDid:CNNVD-201807-881date:2021-07-01T00:00:00
db:NVDid:CVE-2018-8171date:2021-06-30T16:52:59.210

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-15445date:2018-08-16T00:00:00
db:BIDid:104659date:2018-07-10T00:00:00
db:JVNDBid:JVNDB-2018-007985date:2018-10-04T00:00:00
db:CNNVDid:CNNVD-201807-881date:2018-07-11T00:00:00
db:NVDid:CVE-2018-8171date:2018-07-11T00:29:00.320