Web Applications using Claims authentication require an update (SharePoint Server)
APPLIES TO: 2013 2016 2019 Subscription Edition SharePoint in Microsoft 365
Rule Name: Web Applications using Claims authentication require an update.
Event ID: None
Summary: Web applications that use claims-based authentication are at risk for a potential security vulnerability that might allow users to elevate privileges. Web servers that host Web applications that use claims-based authentication are potentially vulnerable.
Cause: This can happen when you deploy a Microsoft ASP.NET 2.0-based Web application to a Web site that is hosted on a server running SharePoint Server and you have Internet Information Services (IIS) 7.0 or IIS 7.5 running in Integrated mode on the server.
If you deploy partially trusted Web Parts or create external lists on the SharePoint site, these Web Parts or external lists can have more permissions than they should have. This issue might create a security risk on the SharePoint site. For example, these Web Parts or external lists may unexpectedly generate database requests or HTTP requests.
This issue occurs because of a change in the ASP.NET 2.0 authentication component. The change causes the partially trusted Web Parts or external lists to impersonate the application pool account. Therefore, the Web Parts have full permission to access the SharePoint site.
Resolution: Install the update
- For more information about this update, see Knowledge Base article 979917.