CVE-2018-8171

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

Published: Jul 11, 2018
Updated: May 9, 2024
CVE: CVE-2018-8171
GHSA: GHSA-vhvh-528q-ff3p
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
microsoft / asp.net_core	1.0	1.0.x
microsoft / asp.net_core	1.1	1.1.x
microsoft / asp.net_core	2.0	2.0.x
microsoft / asp.net_webpages	3.2.3	3.2.3.x
microsoft / asp.net_model_view_controller	5.2	5.2.x
Microsoft.AspNetCore.Identity	1.0.0	1.0.6
Microsoft.AspNetCore.Identity	1.1.0	1.1.6
Microsoft.AspNetCore.Identity	2.0.0	2.0.4
Microsoft.AspNetCore.Identity	2.1.0	2.1.2

http://www.securityfocus.com/bid/104659
http://www.securitytracker.com/id/1041267
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8171

Vulnerability Database

289,599

CVE-2018-8171