CVE-2018-8171 - OpenCVE

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Asp.net Model View Controller Asp.net Core Asp.net Webpages

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:asp.net_core:1.0:::::::*
	cpe:2.3:a:microsoft:asp.net_core:1.1:::::::*
	cpe:2.3:a:microsoft:asp.net_core:2.0:::::::*
	cpe:2.3:a:microsoft:asp.net_model_view_controller:5.2:::::::*
	cpe:2.3:a:microsoft:asp.net_webpages:3.2.3:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/104659	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041267	Third Party Advisory VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171	Vendor Advisory Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microsoft

Published: 2018-07-11T00:00:00

Updated: 2018-07-11T09:57:01

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-8171

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-11T00:29:00.320

Modified: 2021-06-30T16:52:59.210

Link: CVE-2018-8171

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "ASP.NET", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5"}, {"status": "affected", "version": "Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3"}]}, {"product": "ASP.NET Core", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "1.0"}, {"status": "affected", "version": "1.1"}, {"status": "affected", "version": "2.0"}]}, {"product": "ASP.NET MVC 5.2", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Microsoft Visual Studio 2013 Update 5"}, {"status": "affected", "version": "Microsoft Visual Studio 2015 Update 3"}]}], "datePublic": "2018-07-10T00:00:00", "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}], "problemTypes": [{"descriptions": [{"description": "Security Feature Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T09:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "1041267", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041267"}, {"name": "104659", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104659"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2018-8171", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ASP.NET", "version": {"version_data": [{"version_value": "Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5"}, {"version_value": "Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3"}]}}, {"product_name": "ASP.NET Core", "version": {"version_data": [{"version_value": "1.0"}, {"version_value": "1.1"}, {"version_value": "2.0"}]}}, {"product_name": "ASP.NET MVC 5.2", "version": {"version_data": [{"version_value": "Microsoft Visual Studio 2013 Update 5"}, {"version_value": "Microsoft Visual Studio 2015 Update 3"}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security Feature Bypass"}]}]}, "references": {"reference_data": [{"name": "1041267", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041267"}, {"name": "104659", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104659"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171", "refsource": "CONFIRM", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}]}}}}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2018-8171", "datePublished": "2018-07-11T00:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2018-07-11T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:asp.net_core:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0913F82A-985A-401D-89F6-191684A8AB55", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8256236D-D4F0-4207-B82D-18B0135CEB4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "345222C2-CD5B-4613-9FF3-9D034974D54F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_model_view_controller:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "72194690-5B02-4E16-81CE-8447790D67A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_webpages:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "E601B5A5-E15B-43BD-98D7-20CBF28A55C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}, {"lang": "es", "value": "Existe una vulnerabilidad de omisi\u00f3n de la caracter\u00edstica de seguridad en ASP.NET cuando el n\u00famero de intentos de inicio de sesi\u00f3n incorrectos no se valida. Esto tambi\u00e9n se conoce como \"ASP.NET Security Feature Bypass Vulnerability\". Esto afecta a ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0 y ASP.NET MVC 5.2."}], "id": "CVE-2018-8171", "lastModified": "2021-06-30T16:52:59.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T00:29:00.320", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104659"}, {"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041267"}, {"source": "secure@microsoft.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}