CVE-2018-8171

CWE-287 — Improper Authentication5 documents5 sources

Severity

7.5HIGH

EPSS

24.3%

top 3.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Asp.net Microsoft Asp.net Core Microsoft Asp.net MVC 5.2 +2 more

Timeline

PublishedJul 11

Latest updateOct 16

Description

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NuGetMicrosoft.AspNetCore.Identity1.0.0 — 1.0.6+3

▶CVEListV5microsoft/asp.net_core1.0, 1.1, 2.0+2

▶NVDmicrosoft/asp.net_core1.0, 1.1, 2.0+2

▶CVEListV5microsoft/asp.netWeb Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5, Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3+1

▶CVEListV5microsoft/asp.net_mvc_5.2Microsoft Visual Studio 2013 Update 5, Microsoft Visual Studio 2015 Update 3+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated↗2018-10-16

▶

OSV

Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated↗2018-10-16

▶

CVEList

CVE-2018-8171: A Security Feature Bypass vulnerability exists in ASP↗2018-07-11

▶

📋Vendor Advisories

Microsoft

ASP.NET Security Feature Bypass Vulnerability↗2018-07-10

▶