Windows : .NET Core Multiple Vulnerabilities (KB5028705, KB5028706)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.832224

Category: Windows

Title: .NET Core Multiple Vulnerabilities (KB5028705, KB5028706) - Windows

Summary: .NET Core prone to security feature bypass; and elevation of privilege vulnerabilities.

Description: Summary:
.NET Core prone to security feature bypass
and elevation of privilege vulnerabilities.

Vulnerability Insight:
Multiple flaws exist due to,

- A vulnerability exists in .NET applications where the diagnostic server can be
exploited to achieve cross-session/cross-user elevation of privilege (EoP) and
code execution.

- A vulnerability exists in ASP.NET Core applications where account lockout
maximum failed attempts may not be immediately updated, allowing an attacker to
try more passwords.

Vulnerability Impact:
Successful exploitation would allow an attacker
to bypass security restrictions, achieve cross-session/cross-user elevation of
privilege (EoP) and code execution.

Affected Software/OS:
.NET Core runtime 6.0 before 6.0.20, 7.0 before
7.0.9 and .NET Core SDK before 6.0.120, 6.0.315, 7.0.306.

Solution:
Upgrade .NET Core runtimes to versions
6.0.20 or 7.0.9 or later or upgrade .NET Core SDK to versions 6.0.120 or 6.0.315 or
7.0.306 or later.

CVSS Score:
7.6

CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-33170
ASP.NET and Visual Studio Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVZVMMCCBBCSCPAW2CRQGOTKIHVFCMRO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5CFOR6ID2HP45E7ZOGQNX76FPIWP7XR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TLWNIIA2I6YCYVCXYBPBRSZ3UH6KILTG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3VJRGNYJXGPF5LXUG3NL45QPK2UU6PL/
Common Vulnerability Exposure (CVE) ID: CVE-2023-33127
.NET and Visual Studio Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33127

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.832224
Category:	Windows
Title:	.NET Core Multiple Vulnerabilities (KB5028705, KB5028706) - Windows
Summary:	.NET Core prone to security feature bypass; and elevation of privilege vulnerabilities.
Description:	Summary: .NET Core prone to security feature bypass and elevation of privilege vulnerabilities. Vulnerability Insight: Multiple flaws exist due to, - A vulnerability exists in .NET applications where the diagnostic server can be exploited to achieve cross-session/cross-user elevation of privilege (EoP) and code execution. - A vulnerability exists in ASP.NET Core applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords. Vulnerability Impact: Successful exploitation would allow an attacker to bypass security restrictions, achieve cross-session/cross-user elevation of privilege (EoP) and code execution. Affected Software/OS: .NET Core runtime 6.0 before 6.0.20, 7.0 before 7.0.9 and .NET Core SDK before 6.0.120, 6.0.315, 7.0.306. Solution: Upgrade .NET Core runtimes to versions 6.0.20 or 7.0.9 or later or upgrade .NET Core SDK to versions 6.0.120 or 6.0.315 or 7.0.306 or later. CVSS Score: 7.6 CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-33170 ASP.NET and Visual Studio Security Feature Bypass Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVZVMMCCBBCSCPAW2CRQGOTKIHVFCMRO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5CFOR6ID2HP45E7ZOGQNX76FPIWP7XR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TLWNIIA2I6YCYVCXYBPBRSZ3UH6KILTG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3VJRGNYJXGPF5LXUG3NL45QPK2UU6PL/ Common Vulnerability Exposure (CVE) ID: CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33127
Copyright	Copyright (C) 2023 Greenbone AG