High severity8.8NVD Advisory· Published Nov 15, 2017· Updated May 13, 2026

CVE-2017-11879

Description

ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability".

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.AspNetCore.AllNuGet	>= 2.0.0, < 2.0.3	2.0.3
Microsoft.AspNetCore.Mvc.CoreNuGet	>= 2.0.0, < 2.0.1	2.0.1

Affected products

Microsoft/Aspnetcore
cpe:2.3:a:microsoft:asp.net_core:2.0:*:*:*:*:*:*:*
Microsoft Corporation/ASP.NET Corev5
Range: ASP.NET Core 2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11879nvdIssue TrackingPatchVendor AdvisoryWEB
www.securityfocus.com/bid/101713nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039793nvdIssue TrackingThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-3wcj-rg8q-9cqvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-11879ghsaADVISORY
github.com/aspnet/Announcements/issues/277ghsaWEB
github.com/github/advisory-database/issues/302ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000