Sign-up

ID

VAR-201909-0498


CVE

CVE-2019-1302


TITLE

ASP.NET Core Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2019-009186

DESCRIPTION

An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests, aka 'ASP.NET Core Elevation Of Privilege Vulnerability'. The vendor ASP.NET Core As a privilege escalation vulnerability.Your privilege may be elevated. Microsoft ASP.NET Core is a cross-platform open source framework from Microsoft Corporation in the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Microsoft ASP.NET Core version 2.1, 2.2, and 3.0 have an input validation error vulnerability. An attacker could use this vulnerability to run a script in the security context of the current user

Trust: 2.16

sources: NVD: CVE-2019-1302 // JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:2.1

Trust: 2.4

vendor:microsoftmodel:asp.net corescope:eqversion:2.2

Trust: 2.4

vendor:microsoftmodel:asp.net corescope:eqversion:3.0

Trust: 2.4

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1302
value: HIGH

Trust: 1.0

NVD: CVE-2019-1302
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-483
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-1302
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1302
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-1302
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2019-009186 // NVD: CVE-2019-1302

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-483

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-009186

PATCH
title:CVE-2019-1302 | ASP.NET Core Elevation Of Privilege Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1302
Trust: 0.8
title:CVE-2019-1302 | ASP.NET Core の特権の昇格の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2019-1302
Trust: 0.8
title:Microsoft ASP.NET Core Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98071
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-009186 // 
            
            
            
            CNNVD: CNNVD-201909-483

EXTERNAL IDS
db:NVDid:CVE-2019-1302
Trust: 2.4
db:JVNDBid:JVNDB-2019-009186
Trust: 0.8
db:CNNVDid:CNNVD-201909-483
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-009186 // 
            
            
            
            CNNVD: CNNVD-201909-483 // 
            
            
            
            NVD: CVE-2019-1302

REFERENCES
url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1302
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-1302
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1302
Trust: 0.8
url:https://www.ipa.go.jp/security/ciadr/vul/20190911-ms.html
Trust: 0.8
url:https://www.jpcert.or.jp/at/2019/at190036.html
Trust: 0.8
url:https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/cve-2019-1302
Trust: 0.6
url:https://vigilance.fr/vulnerability/microsoft-net-core-vulnerabilities-of-september-2019-30306
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-009186 // 
            
            
            
            CNNVD: CNNVD-201909-483 // 
            
            
            
            NVD: CVE-2019-1302

CREDITS
Ian Routledge (@ediblecode)
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-483

SOURCES
db:JVNDBid:JVNDB-2019-009186
db:CNNVDid:CNNVD-201909-483
db:NVDid:CVE-2019-1302

LAST UPDATE DATE
2024-08-14T14:51:04.251000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2019-009186date:2019-09-13T00:00:00
db:CNNVDid:CNNVD-201909-483date:2019-09-17T00:00:00
db:NVDid:CVE-2019-1302date:2019-09-12T17:29:15.053

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2019-009186date:2019-09-13T00:00:00
db:CNNVDid:CNNVD-201909-483date:2019-09-10T00:00:00
db:NVDid:CVE-2019-1302date:2019-09-11T22:15:19.087