7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-8171

GHSA ID

GHSA-vhvh-528q-ff3p

EPSS Score

0.93267%

CWE

CWE-287

Published

10/16/2018

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-8171

CVE-2018-8171:
Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-8171

GHSA ID

GHSA-vhvh-528q-ff3p

EPSS Score

0.93267%

CWE

CWE-287

Published

10/16/2018

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.AspNetCore.Identity	nuget	>= 1.0.0, <= 1.0.5	1.0.6
Microsoft.AspNetCore.Identity	nuget	>= 1.1.0, <= 1.1.5	1.1.6
Microsoft.AspNetCore.Identity	nuget	>= 2.0.0, <= 2.0.3	2.0.4
Microsoft.AspNetCore.Identity	nuget	>= 2.1.0, <= 2.1.1	2.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper tracking of failed login attempts. In ASP.NET Identity:

UserManager.CheckPasswordAsync is the core method for password validation that would need to track failed attempts
SignInManager.PasswordSignInAsync is the main entry point for login attempts that should enforce lockout policies These functions would appear in stack traces during authentication attempts and were likely modified in patched versions to add proper attempt counting and lockout validation. The high confidence comes from their central role in authentication flows and the vulnerability's focus on attempt validation missing in security controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S**urity ***tur* *yp*ss vuln*r**ility *xists in *SP.N*T w**n t** num**r o* in*orr**t lo*in *tt*mpts is not v*li**t**, *k* "*SP.N*T S**urity ***tur* *yp*ss Vuln*r**ility." T*is *****ts *SP.N*T, *SP.N*T *or* *.*, *SP.N*T *or* *.*, *SP.N*T *or* *.*, *

Reasoning

T** vuln*r**ility **nt*rs on improp*r tr**kin* o* **il** lo*in *tt*mpts. In *SP.N*T I**ntity: *. Us*rM*n***r.****kP*sswor**syn* is t** *or* m*t*o* *or p*sswor* v*li**tion t**t woul* n*** to tr**k **il** *tt*mpts *. Si*nInM*n***r.P*sswor*Si*nIn*syn* i

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-8171: Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-8171:
Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated

Vulnerability Intelligence
Miggo AI