ASP.NET and Visual Studio Security Feature Bypass Vulnerability
Description
ASP.NET and Visual Studio Security Feature Bypass Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASP.NET Core's account lockout mechanism does not immediately update the failed attempts count, allowing attackers to bypass the lockout threshold.
Vulnerability
Overview
CVE-2023-33170 is a security feature bypass vulnerability in ASP.NET Core affecting the account lockout functionality. The root cause is that the maximum failed attempts count may not be immediately updated in certain scenarios, allowing an attacker to attempt more passwords than intended before the lockout is enforced. This issue impacts ASP.NET Core 2.1 and above, including .NET 6.0, .NET 7.0, and the Microsoft.AspNetCore.Identity NuGet package [2][3].
Exploitation
Conditions
Exploitation does not require any special privileges but does depend on the application using ASP.NET Core's Identity framework for authentication. An attacker can repeatedly submit login requests without the lockout mechanism correctly tracking the failed attempts. No authentication is needed to launch this attack, only network access to the affected application [2][3].
Impact
A successful exploit allows an attacker to conduct brute-force password guessing attacks beyond the configured account lockout threshold. This increases the likelihood of compromising a user account, especially for weak or common passwords. The vulnerability bypasses a critical security control intended to prevent automated password guessing [2][3].
Mitigation
Microsoft has released patches for all affected platforms. Users should update their applications to the latest versions: .NET 7.0.9 or later, .NET 6.0.20 or later, and Microsoft.AspNetCore.Identity package version 2.1.39 or later. There are no known workarounds for this vulnerability, and it is not currently listed in CISA's Known Exploited Vulnerabilities catalog [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.IdentityNuGet | < 2.1.39 | 2.1.39 |
Microsoft.AspNet.Identity.OwinNuGet | < 2.2.4 | 2.2.4 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 7.0.0, < 7.0.9 | 7.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | < 6.0.20 | 6.0.20 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | < 6.0.20 | 6.0.20 |
Affected products
43- osv-coords37 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:nuget/microsoft.aspnetcore.identitypkg:nuget/microsoft.aspnet.identity.owinpkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-7.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-7.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-7.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-7.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-7.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-7.0pkg:rpm/almalinux/dotnet-sdk-7.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-7.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-7.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.20+ 36 more
- (no CPE)range: >= 6.0.0, < 6.0.20
- (no CPE)range: >= 6.0.0, < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: >= 7.0.0, < 7.0.9
- (no CPE)range: < 6.0.20
- (no CPE)range: >= 7.0.0, < 7.0.9
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 6.0.20
- (no CPE)range: < 2.1.39
- (no CPE)range: < 2.2.4
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 7.0.109-1.el8_8
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 6.0.120-1.el8_8
- (no CPE)range: < 6.0.120-1.el8_8
- (no CPE)range: < 7.0.109-1.el9_2
- (no CPE)range: < 7.0.109-1.el9_2
- (no CPE)range: < 6.0.20-1.el8_8
- (no CPE)range: < 7.0.9-1.el9_2
- (no CPE)range: < 6.0.120-1.el8_8
- (no CPE)range: < 7.0.109-1.el9_2
- (no CPE)range: < 7.0.109-1.el9_2
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 7.0v5Range: 7.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-25c8-p796-jg6rghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33170ghsaADVISORY
- github.com/dotnet/aspnetcore/issues/49334ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-25c8-p796-jg6rghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVZVMMCCBBCSCPAW2CRQGOTKIHVFCMROghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5CFOR6ID2HP45E7ZOGQNX76FPIWP7XRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TLWNIIA2I6YCYVCXYBPBRSZ3UH6KILTGghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3VJRGNYJXGPF5LXUG3NL45QPK2UU6PLghsaWEB
News mentions
0No linked articles in our index yet.