Details of VAR-201807-2080

ID

VAR-201807-2080

CVE

CVE-2018-8171

TITLE

ASP.NET Vulnerabilities bypassing security functions

Trust: 0.8

sources: JVNDB: JVNDB-2018-007985

DESCRIPTION

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2. Microsoft ASP.NET is a cross-platform open source framework of Microsoft Corporation. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to make unlimited login requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 2.97

sources: NVD: CVE-2018-8171 // JVNDB: JVNDB-2018-007985 // CNVD: CNVD-2018-15445 // CNNVD: CNNVD-201807-881 // BID: 104659

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-15445

AFFECTED PRODUCTS

vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.0	Trust: 3.3
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.1	Trust: 3.3
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	2.0	Trust: 3.3
vendor:	microsoft	model:	asp.net mvc	scope:	eq	version:	5.2	Trust: 1.7
vendor:	microsoft	model:	asp.net webpages	scope:	eq	version:	3.2.3	Trust: 1.6
vendor:	microsoft	model:	asp.net web pages	scope:	eq	version:	3.2.3	Trust: 1.1
vendor:	microsoft	model:	asp.net model view controller	scope:	eq	version:	5.2	Trust: 1.0
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	5.2	Trust: 0.6

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8171
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-8171
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-15445
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201807-881
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2018-8171
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-15445
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-8171
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-15445 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2018-007985 // NVD: CVE-2018-8171

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-881

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201807-881

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007985

PATCH

title:	CVE-2018-8171 \| ASP.NET Security Feature Bypass Vulnerability	url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8171	Trust: 0.8
title:	CVE-2018-8171 \| ASP.NET のセキュリティ機能のバイパスの脆弱性	url:	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8171	Trust: 0.8
title:	Patch for Microsoft ASP.NET Core Security Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/137603	Trust: 0.6
title:	Microsoft ASP.NET Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81945	Trust: 0.6

sources: CNVD: CNVD-2018-15445 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8171	Trust: 3.3
db:	BID	id:	104659	Trust: 2.5
db:	SECTRACK	id:	1041267	Trust: 1.6
db:	JVNDB	id:	JVNDB-2018-007985	Trust: 0.8
db:	CNVD	id:	CNVD-2018-15445	Trust: 0.6
db:	CNNVD	id:	CNNVD-201807-881	Trust: 0.6

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8171	Trust: 2.2
url:	http://www.securityfocus.com/bid/104659	Trust: 1.6
url:	http://www.securitytracker.com/id/1041267	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8171	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20180711-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2018/at180028.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8171	Trust: 0.8
url:	http://www.microsoft.com/net/	Trust: 0.3
url:	http://www.microsoft.com	Trust: 0.3

sources: CNVD: CNVD-2018-15445 // BID: 104659 // JVNDB: JVNDB-2018-007985 // CNNVD: CNNVD-201807-881 // NVD: CVE-2018-8171

CREDITS

Martin Knafve

Trust: 0.3

sources: BID: 104659

SOURCES

db:	CNVD	id:	CNVD-2018-15445
db:	BID	id:	104659
db:	JVNDB	id:	JVNDB-2018-007985
db:	CNNVD	id:	CNNVD-201807-881
db:	NVD	id:	CVE-2018-8171

LAST UPDATE DATE

2024-08-14T14:32:59.267000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-15445	date:	2018-08-16T00:00:00
db:	BID	id:	104659	date:	2018-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-007985	date:	2018-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201807-881	date:	2021-07-01T00:00:00
db:	NVD	id:	CVE-2018-8171	date:	2021-06-30T16:52:59.210

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-15445	date:	2018-08-16T00:00:00
db:	BID	id:	104659	date:	2018-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-007985	date:	2018-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201807-881	date:	2018-07-11T00:00:00
db:	NVD	id:	CVE-2018-8171	date:	2018-07-11T00:29:00.320