CVE-2017-0248 — Improper Certificate Validation in Microsoft Microsoft.aspnetcore.mvc.abstractions

CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 22.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

19

Microsoft Microsoft.aspnetcore.mvc.abstractions Microsoft Microsoft.aspnetcore.mvc.apiexplorer Microsoft Microsoft.aspnetcore.mvc.cors +16 more

Timeline

PublishedMay 12

Latest updateOct 16

Description

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages19 packages

▶NuGetmicrosoft/system.net.security4.0.0 — 4.0.1+1

▶NuGetmicrosoft/microsoft.aspnetcore.mvc.viewfeatures1.0.0 — 1.0.4+1

▶NVDmicrosoft/net_framework8 versions+7

▶CVEListV5microsoft_corporation/microsoft_net_frameworkMicrosoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7

▶NuGetmicrosoft/system.net.http4.1.1 — 4.1.2+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

3

GHSA

Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core↗2018-10-16

▶

OSV

Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core↗2018-10-16

▶

CVEList

CVE-2017-0248: Microsoft↗2017-05-12

▶

📋Vendor Advisories

1

Microsoft

.NET Security Feature Bypass Vulnerability↗2017-05-09

▶

💬Community

2

Bugzilla

CVE-2016-6344 JBoss bpms 6.3.x cookie does not set httponly↗2016-08-31

▶

Bugzilla

CVE-2016-4434 tika: XML External Entity vulnerability↗2016-05-27

▶

External resources

Affected products19

Microsoft Corporation Microsoft NET FrameworkvMicrosoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7

Microsoft Microsoft.aspnetcore.mvc.abstractions≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.apiexplorer≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.cors≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.dataannotations≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.formatters.json≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.formatters.xml≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.localization≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.razor≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Microsoft Microsoft.aspnetcore.mvc.razor.host≥ 1.0.0, < 1.0.4≥ 1.1.0, < 1.1.3

Disclosure

PublishedMay 12, 2017

Latest updateOct 16, 2018

CVE-2017-0248 — Improper Certificate Validation | cvebase