HIGH 8.8
GHSA-365p-96qv-xr7g
ASP.NET Core allow an elevation of privilege
Details
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".
Are you affected?
Enter the version of the package you're using.
Affected packages
NuGet / Microsoft.AspNetCore.HttpOverrides
Introduced in:
2.0.0 Fixed in: 2.0.2 Fix
dotnet add package Microsoft.AspNetCore.HttpOverrides --version 2.0.2 NuGet / Microsoft.AspNetCore.Server.Kestrel.Core
Introduced in:
2.0.0 Fixed in: 2.0.2 Fix
dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core --version 2.0.2 References
- https://nvd.nist.gov/vuln/detail/CVE-2018-0787 [ADVISORY]
- https://github.com/aspnet/Announcements/issues/295 [WEB]
- https://github.com/advisories/GHSA-365p-96qv-xr7g [ADVISORY]
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787 [WEB]
- http://www.securityfocus.com/bid/103282 [WEB]
- http://www.securitytracker.com/id/1040525 [WEB]