ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability".

Affected Packages

NuGet Microsoft.AspNetCore.All

Affected versions: 2.0.0 (fixed in 2.0.3)

NuGet Microsoft.AspNetCore.Mvc.Core

Affected versions: 2.0.0 (fixed in 2.0.1)

Related CVEs

CVE-2017-11879

Key Information

GHSA ID

GHSA-3wcj-rg8q-9cqv

Published

May 14, 2022 3:47 AM

Last Modified

July 8, 2022 7:21 PM

CVSS Score

7.5 /10

Primary Ecosystem

NuGet

Primary Package

Microsoft.AspNetCore.All

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.