CVE-2021-43877: ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Dec

Released

2021-12-14

Last Updated

2022-04-12

EPSS Score

0.68% (percentile: 71.6%)

Affected Products (8)

Developer Tools

• Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
• Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.0
• ASP.NET Core 3.1
• ASP.NET Core 5.0
• ASP.NET Core 6.0
• Microsoft Visual Studio 2022 version 17.1

Security Updates (8)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/rabughazaleh/">Rami Abughazaleh</a>

Revision History

• 2021-12-14: Information published.
• 2022-04-12: The following changes were made: 1) Added Visual Studio 2022 version 17.1 to the Security Updates table as this version of Visual Studio is affected by this vulnerability. Customers running this version of Visual Studio 2022 should install the April 2022 security updates to be protected from this vulnerability. 2) Corrected Article link.