CVE-2018-0786 — Improper Certificate Validation in Microsoft .NET Framework components

Description

Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, .NET Core 1.0 and 2.0, and PowerShell Core 6.0.0 allow a security feature bypass vulnerability due to the way certificates are validated, aka ".NET Security Feature Bypass Vulnerability."

How to fix CVE-2018-0786

To remediate CVE-2018-0786, upgrade the affected package to a fixed version below.

—upgrade to 5.2.4 or later
—upgrade to 4.4.1 or later
—upgrade to 4.4.1 or later
—upgrade to 4.4.1 or later
—upgrade to 4.4.1 or later
—upgrade to 4.4.1 or later
—upgrade to 4.4.1 or later

Is CVE-2018-0786 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

>= 5.2.0, < 5.2.4
>= 4.4.0, < 4.4.1
>= 4.4.0, < 4.4.1
>= 4.4.0, < 4.4.1
>= 4.4.0, < 4.4.1
>= 4.4.0, < 4.4.1
>= 4.4.0, < 4.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-jc8g-xhw5-6x46
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-0786
WEBgithub.com/dotnet/announcements/issues/51
WEBgithub.com/github/advisory-database/issues/302
WEB