CVE-2018-8171 (High) detected in microsoft.aspnetcore.identity.2.0.3.nupkg

[mend-bolt-for-github]

CVE-2018-8171 - High Severity Vulnerability

Vulnerable Library - microsoft.aspnetcore.identity.2.0.3.nupkg

ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including...

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.identity.2.0.3.nupkg

Path to dependency file: /src/TestWebSite/TestWebSite.csproj

Path to vulnerable library: /tmp/ws-ua_20220708123351_QIKSIB/dotnet_WCHIOT/20220708123352/microsoft.aspnetcore.identity/2.0.3/microsoft.aspnetcore.identity.2.0.3.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.identity.entityframeworkcore.2.0.3.nupkg (Root Library)
  • ❌ microsoft.aspnetcore.identity.2.0.3.nupkg (Vulnerable Library)

Found in HEAD commit: 1acdde0e5e2173fc9be87dbb3080ebd3037e487b

Found in base branch: master

Vulnerability Details

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

Publish Date: 2018-07-11

URL: CVE-2018-8171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vhvh-528q-ff3p

Release Date: 2018-07-11

Fix Resolution: Microsoft.AspNetCore.Identity - 1.0.6,1.1.6,2.0.4,2.1.2

---

Step up your Open Source Security Game with Mend here