Security restrictions bypass in ASP.NET Core MVC - CVE-2018-0786
Published: January 9, 2018
Vulnerability identifier: #VU9899
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0786
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
ASP.NET Core MVC
ASP.NET Core MVC
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper validation of certificates by Microsoft .NET Framework (and .NET Core) components. A remote attacker can supply an invalid certificate and disregard the Enhanced Key Usage taggings.
The weakness exists due to improper validation of certificates by Microsoft .NET Framework (and .NET Core) components. A remote attacker can supply an invalid certificate and disregard the Enhanced Key Usage taggings.
How to mitigate CVE-2018-0786
Install update from vendor's website.