Vulnerability identifier: #VU653
Vulnerability risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:C/I:C/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ASP.NET Core MVC
Universal components / Libraries /
Software for developers
Vendor: Microsoft
Description
The vulnerability allows a remote authenticated user to obtain elevated privileges.
The vulnerability exists due to design error in View Component implementation within public versions of ASP.NET Core MVC 1.0.0. A malicious user can gain access to potentially sensitive information on the system and obtain elevated privileges on the system.
Successful exploitation of this vulnerability will allow an attacker to obtain elevated privileges on vulnerable system.
The following packages are vulnerable:
Mitigation
Update ASP.NET Core MVC to 1.0.1.
Microsoft .NET Core 1.0.1 – VS 2015 Tooling Preview 2" updates the ASP.NET Core templates to use the fixed packages.
To download this preview, see the "Tools" section of the .NET Downloads page.
Vulnerable software versions
ASP.NET Core MVC: 1.0.0
External links
http://technet.microsoft.com/en-us/library/security/3181759.aspx
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.