ID

VAR-201909-0498


CVE

CVE-2019-1302


TITLE

ASP.NET Core Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2019-009186

DESCRIPTION

An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests, aka 'ASP.NET Core Elevation Of Privilege Vulnerability'. The vendor ASP.NET Core As a privilege escalation vulnerability.Your privilege may be elevated. Microsoft ASP.NET Core is a cross-platform open source framework from Microsoft Corporation in the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Microsoft ASP.NET Core version 2.1, 2.2, and 3.0 have an input validation error vulnerability. An attacker could use this vulnerability to run a script in the security context of the current user

Trust: 2.16

sources: NVD: CVE-2019-1302 // JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:2.1

Trust: 2.4

vendor:microsoftmodel:asp.net corescope:eqversion:2.2

Trust: 2.4

vendor:microsoftmodel:asp.net corescope:eqversion:3.0

Trust: 2.4

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1302
value: HIGH

Trust: 1.0

NVD: CVE-2019-1302
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-483
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-1302
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1302
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-1302
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2019-009186 // NVD: CVE-2019-1302

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-483

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009186

PATCH

title:CVE-2019-1302 | ASP.NET Core Elevation Of Privilege Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1302

Trust: 0.8

title:CVE-2019-1302 | ASP.NET Core の特権の昇格の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2019-1302

Trust: 0.8

title:Microsoft ASP.NET Core Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98071

Trust: 0.6

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483

EXTERNAL IDS

db:NVDid:CVE-2019-1302

Trust: 2.4

db:JVNDBid:JVNDB-2019-009186

Trust: 0.8

db:CNNVDid:CNNVD-201909-483

Trust: 0.6

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

REFERENCES

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1302

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-1302

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1302

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20190911-ms.html

Trust: 0.8

url:https://www.jpcert.or.jp/at/2019/at190036.html

Trust: 0.8

url:https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/cve-2019-1302

Trust: 0.6

url:https://vigilance.fr/vulnerability/microsoft-net-core-vulnerabilities-of-september-2019-30306

Trust: 0.6

sources: JVNDB: JVNDB-2019-009186 // CNNVD: CNNVD-201909-483 // NVD: CVE-2019-1302

CREDITS

Ian Routledge (@ediblecode)

Trust: 0.6

sources: CNNVD: CNNVD-201909-483

SOURCES

db:JVNDBid:JVNDB-2019-009186
db:CNNVDid:CNNVD-201909-483
db:NVDid:CVE-2019-1302

LAST UPDATE DATE

2024-08-14T14:51:04.251000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2019-009186date:2019-09-13T00:00:00
db:CNNVDid:CNNVD-201909-483date:2019-09-17T00:00:00
db:NVDid:CVE-2019-1302date:2019-09-12T17:29:15.053

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2019-009186date:2019-09-13T00:00:00
db:CNNVDid:CNNVD-201909-483date:2019-09-10T00:00:00
db:NVDid:CVE-2019-1302date:2019-09-11T22:15:19.087