CVE-2018-8171 - OpenCVE

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Asp.net Core Asp.net Model View Controller Asp.net Webpages

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:asp.net_core:1.0:::::::*
	cpe:2.3:a:microsoft:asp.net_core:1.1:::::::*
	cpe:2.3:a:microsoft:asp.net_core:2.0:::::::*
	cpe:2.3:a:microsoft:asp.net_model_view_controller:5.2:::::::*
	cpe:2.3:a:microsoft:asp.net_webpages:3.2.3:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/104659
http://www.securitytracker.com/id/1041267
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2018-07-11T00:00:00

Updated: 2024-08-05T06:46:13.464Z

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-8171

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-07-11T00:29:00.320

Modified: 2021-06-30T16:52:59.210

Link: CVE-2018-8171

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ASP.NET", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5"}, {"status": "affected", "version": "Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3"}]}, {"product": "ASP.NET Core", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "1.0"}, {"status": "affected", "version": "1.1"}, {"status": "affected", "version": "2.0"}]}, {"product": "ASP.NET MVC 5.2", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Microsoft Visual Studio 2013 Update 5"}, {"status": "affected", "version": "Microsoft Visual Studio 2015 Update 3"}]}], "datePublic": "2018-07-10T00:00:00", "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}], "problemTypes": [{"descriptions": [{"description": "Security Feature Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T09:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"name": "1041267", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041267"}, {"name": "104659", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104659"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2018-8171", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ASP.NET", "version": {"version_data": [{"version_value": "Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5"}, {"version_value": "Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3"}]}}, {"product_name": "ASP.NET Core", "version": {"version_data": [{"version_value": "1.0"}, {"version_value": "1.1"}, {"version_value": "2.0"}]}}, {"product_name": "ASP.NET MVC 5.2", "version": {"version_data": [{"version_value": "Microsoft Visual Studio 2013 Update 5"}, {"version_value": "Microsoft Visual Studio 2015 Update 3"}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security Feature Bypass"}]}]}, "references": {"reference_data": [{"name": "1041267", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041267"}, {"name": "104659", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104659"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171", "refsource": "CONFIRM", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:46:13.464Z"}, "title": "CVE Program Container", "references": [{"name": "1041267", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041267"}, {"name": "104659", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104659"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2018-8171", "datePublished": "2018-07-11T00:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2024-08-05T06:46:13.464Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:asp.net_core:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0913F82A-985A-401D-89F6-191684A8AB55", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8256236D-D4F0-4207-B82D-18B0135CEB4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "345222C2-CD5B-4613-9FF3-9D034974D54F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_model_view_controller:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "72194690-5B02-4E16-81CE-8447790D67A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_webpages:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "E601B5A5-E15B-43BD-98D7-20CBF28A55C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka \"ASP.NET Security Feature Bypass Vulnerability.\" This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2."}, {"lang": "es", "value": "Existe una vulnerabilidad de omisi\u00f3n de la caracter\u00edstica de seguridad en ASP.NET cuando el n\u00famero de intentos de inicio de sesi\u00f3n incorrectos no se valida. Esto tambi\u00e9n se conoce como \"ASP.NET Security Feature Bypass Vulnerability\". Esto afecta a ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0 y ASP.NET MVC 5.2."}], "id": "CVE-2018-8171", "lastModified": "2021-06-30T16:52:59.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T00:29:00.320", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104659"}, {"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041267"}, {"source": "secure@microsoft.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}