CVE-2023-36899: 
vulnerability analysis and mitigation

ASP.NET Elevation of Privilege Vulnerability (CVE-2023-36899) was disclosed on August 8, 2023. This vulnerability affects applications running on IIS using their parent application's Application Pool, which can lead to privilege escalation or other security bypasses. The vulnerability impacts various versions of Microsoft .NET Framework including 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, and 4.8 running on multiple Windows Server versions (Microsoft Support).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Microsoft has classified this as a CWE-20 (Improper Input Validation) vulnerability (NVD).

The vulnerability can result in privilege escalation and security bypass capabilities in affected systems. It allows attackers to potentially gain elevated privileges within the application context, compromising the confidentiality, integrity, and availability of the affected systems (Microsoft Support).

Microsoft has released security updates to address this vulnerability. Users are advised to install the security updates provided through Windows Update or Microsoft Update Catalog. For systems running .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2, the d3dcompiler_47.dll update (KB 4019990) must be installed before applying this security update (Microsoft Support).