CVE-2018-0787
Description
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASP.NET Core 1.0, 1.1, and 2.0 have an elevation of privilege vulnerability when hosted directly via Kestrel without host header validation.
Vulnerability
ASP.NET Core versions 1.0, 1.1, and 2.0 contain an elevation of privilege vulnerability due to how web applications created from templates validate web requests. The issue occurs when an application is hosted directly on Kestrel, which does not perform host header validation, or when hosted behind a proxy that does not validate or restrict host headers to known good values. For ASP.NET Core 2.0, packages Microsoft.AspNetCore.HttpOverrides versions 2.0.0 and 2.0.1 and Microsoft.AspNetCore.Server.Kestrel.Core versions 2.0.0 and 2.0.1 are also affected [1][3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious Host header to an affected ASP.NET Core application. No authentication or user interaction is required; the attacker only needs network access to the service. If the application relies on the Host header for generating links or enforcing security policies, the attacker can manipulate the header to redirect traffic, inject content, or bypass security checks, leading to elevation of privilege [1].
Impact
Successful exploitation allows an attacker to elevate their privileges within the context of the web application. This could lead to actions such as bypassing authorization checks, accessing resources intended for higher-privileged users, or performing operations that should be restricted, potentially compromising the confidentiality, integrity, or availability of the application [1][2].
Mitigation
For ASP.NET Core 2.0, update packages Microsoft.AspNetCore.HttpOverrides to version 2.0.2 or later and Microsoft.AspNetCore.Server.Kestrel.Core to version 2.0.2 or later [1][3]. No patches are available for ASP.NET Core 1.0.x or 1.1.x; these versions are out of support (EOL) and should be upgraded to a supported version [1]. As a workaround, ensure the application is hosted behind a proxy (e.g., IIS, NGINX, Apache) that validates the Host header and is configured to listen on fully qualified domain names or controlled wildcard subdomains. Apps hosted in Azure Web Apps are not susceptible [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.HttpOverridesNuGet | >= 2.0.0, < 2.0.2 | 2.0.2 |
Microsoft.AspNetCore.Server.Kestrel.CoreNuGet | >= 2.0.0, < 2.0.2 | 2.0.2 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.0.2+ 1 more
- (no CPE)range: >= 2.0.0, < 2.0.2
- (no CPE)range: >= 2.0.0, < 2.0.2
- Microsoft Corporation/ASP.NET Corev5Range: ASP.NET Core 1.0. 1.1, and 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-365p-96qv-xr7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0787ghsaADVISORY
- www.securityfocus.com/bid/103282ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1040525ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/aspnet/Announcements/issues/295ghsax_refsource_CONFIRMWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.