Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
Weakness
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Asp.net_core | Microsoft | 8.0.0 (including) | 8.0.14 (excluding) |
| Asp.net_core | Microsoft | 9.0.0 (including) | 9.0.3 (excluding) |
| Visual_studio_2022 | Microsoft | 17.8.0 (including) | 17.8.19 (excluding) |
| Visual_studio_2022 | Microsoft | 17.10.0 (including) | 17.10.12 (excluding) |
| Visual_studio_2022 | Microsoft | 17.12.0 (including) | 17.12.6 (excluding) |
| Visual_studio_2022 | Microsoft | 17.13.0 (including) | 17.13.3 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | dotnet9.0-0:9.0.104-1.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | dotnet8.0-0:8.0.114-1.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | dotnet9.0-0:9.0.104-1.el9_5 | * |
| Red Hat Enterprise Linux 9 | RedHat | dotnet8.0-0:8.0.114-1.el9_5 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | dotnet8.0-0:8.0.114-1.el9_4 | * |
| Dotnet7 | Ubuntu | jammy | * |
| Dotnet8 | Ubuntu | jammy | * |
| Dotnet8 | Ubuntu | noble | * |
| Dotnet8 | Ubuntu | oracular | * |
| Dotnet8 | Ubuntu | plucky | * |
| Dotnet8 | Ubuntu | questing | * |
| Dotnet9 | Ubuntu | oracular | * |
| Dotnet9 | Ubuntu | plucky | * |
| Dotnet9 | Ubuntu | questing | * |
Extended Description
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.