CVE-2018-8269
Description
A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OData library in ASP.NET Core mishandles web requests, allowing unauthenticated remote attackers to cause denial of service.
Vulnerability
A denial of service vulnerability exists in the OData library (Microsoft.Data.OData) used by ASP.NET Core, which improperly handles crafted web requests. The vulnerability affects all versions of Microsoft.Data.OData prior to 5.8.4. Additionally, ASP.NET Core packages that depend on the OData library, such as Microsoft.AspNetCore.DataProtection.AzureStorage versions 2.1.1 and 2.2.0, and the Microsoft.AspNetCore.All shared framework versions 2.1.0–2.1.12 and 2.2.0–2.2.6, are affected [2]. The issue also impacts Microsoft SharePoint Server 2016 due to its dependency on the same OData library [3].
Exploitation
A remote unauthenticated attacker can exploit the vulnerability by sending specially crafted HTTP requests that include malicious OData filters to an application that uses the vulnerable OData library. For SharePoint Server 2016, sending more than ten such requests within a five-minute interval will exceed the default process recovery limit, causing the server to become unavailable until manually restarted [2][3]. No authentication or prior access is required.
Impact
Successful exploitation results in a denial of service condition, rendering the targeted OData web application or SharePoint server non-functional. The attacker causes the server process to terminate, and once the recovery limit is exhausted, the service remains down until an administrator manually restarts it. This impacts availability of the affected service [1][2][3].
Mitigation
Update the Microsoft.Data.OData package to version 5.8.4 or later. For ASP.NET Core applications using the Microsoft.AspNetCore.DataProtection.AzureStorage package, upgrade to version 2.1.2 or 2.2.1. For applications using the Microsoft.AspNetCore.All shared framework, upgrade to version 2.1.13 or 2.2.7. These updates were released by Microsoft on September 13, 2018 [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.Data.ODataNuGet | < 5.8.4 | 5.8.4 |
Microsoft.AspNetCore.DataProtection.AzureStorageNuGet | >= 2.1.0, < 2.1.13 | 2.1.13 |
Microsoft.AspNetCore.DataProtection.AzureStorageNuGet | >= 2.2.0, < 2.2.7 | 2.2.7 |
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.13 | 2.1.13 |
Microsoft.AspNetCore.AllNuGet | >= 2.2.0, < 2.2.7 | 2.2.7 |
Affected products
4- ghsa-coords3 versionspkg:nuget/microsoft.aspnetcore.allpkg:nuget/microsoft.aspnetcore.dataprotection.azurestoragepkg:nuget/microsoft.data.odata
>= 2.1.0, < 2.1.13+ 2 more
- (no CPE)range: >= 2.1.0, < 2.1.13
- (no CPE)range: >= 2.1.0, < 2.1.13
- (no CPE)range: < 5.8.4
- Microsoft/Microsoft.Data.ODatav5Range: Microsoft.Data.OData
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.exploit-db.com/exploits/46101/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-mv2r-q4g5-j8q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8269ghsaADVISORY
- www.securityfocus.com/bid/105322mitrevdb-entryx_refsource_BID
- github.com/aspnet/Announcements/issues/385ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8269ghsax_refsource_CONFIRMWEB
- www.exploit-db.com/exploits/46101ghsaWEB
News mentions
0No linked articles in our index yet.