CVE-2023-36558: ASP.NET Core Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.2)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Nov

Released

2023-11-14

Last Updated

2024-02-13

EPSS Score

0.35% (percentile: 57.4%)

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker could bypass validations on Blazor Server forms. How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then trigger an event that could exploit the vulnerability to save an invalid state to a database or trigger other unintended actions, depending on what functionality the form provides.

Affected Products (10)

Developer Tools

• .NET 6.0
• ASP.NET Core 6.0
• .NET 7.0
• Microsoft Visual Studio 2022 version 17.2
• .NET 8.0
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.7
• ASP.NET Core 7.0
• ASP.NET Core 8.0

Security Updates (9)

• 5032883
• 5032884
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Revision History

• 2023-11-14: Information published.
• 2023-11-28: Updated acknowledgment. This is an informational change only.
• 2024-02-13: Corrected Article links in the Security Updates table. This is an informational change only.