CVE-2017-0247

CWE-20Improper Input Validation5 documents5 sources
Severity
7.5HIGH
EPSS
11.1%
top 6.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
Microsoft Corporation Asp.net CoreMicrosoft Asp.net Model View ControllerMicrosoft Microsoft.aspnetcore.mvc.abstractions+16 more
Timeline
PublishedMay 12
Latest updateOct 16

Description

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages38 packages

NuGetMicrosoft.AspNetCore.Mvc1.0.01.0.4+1
NuGetSystem.Text.Encodings.Web4.0.04.0.1+1
NuGetMicrosoft.AspNetCore.Mvc.Core1.0.01.0.4+1
NuGetMicrosoft.AspNetCore.Mvc.Cors1.0.01.0.4+1

Patches

Patch: technet.microsoft.comPatch: technet.microsoft.com

🔴Vulnerability Details

3
OSV
ASP.NET Core fails to properly validate web requests2018-10-16
GHSA
ASP.NET Core fails to properly validate web requests2018-10-16
CVEList
CVE-2017-0247: A denial of service vulnerability exists when the ASP2017-05-12
CVE-2017-0247 (HIGH CVSS 7.5) | A denial of service vulnerability e | cvebase.io