ASP.NET Core fails to properly validate web requests

GHSA-6xh7-4v2w-36q6 · CVE-2017-0247

Published Oct 16, 2018 · Modified Nov 8, 2023

Description

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

References

7.5 / 10

HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Packages

NuGet/Microsoft.AspNetCore.Mvc

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Abstractions

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.ApiExplorer

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Core

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Cors

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.DataAnnotations

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Formatters.Json

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Formatters.Xml

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Localization

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Razor

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.Razor.Host

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.TagHelpers

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.ViewFeatures

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/Microsoft.AspNetCore.Mvc.WebApiCompatShim

Fix 1.0.4, 1.1.3

Introduced 1.0.0, 1.1.0

7 affected versions

1.0.01.0.11.0.21.0.31.1.01.1.11.1.2

NuGet/System.Net.Http

Fix 4.1.2, 4.3.2

Introduced 4.1.1, 4.3.1

2 affected versions

4.1.14.3.1

NuGet/System.Net.Http.WinHttpHandler

Fix 4.0.1, 4.5.4

Introduced 4.0.0, 4.3.0

16 affected versions

4.0.04.3.04.3.14.3.24.3.34.4.04.4.0-preview1-25305-024.4.0-preview2-25405-014.5.04.5.0-preview1-26216-024.5.0-preview2-26406-044.5.0-rc14.5.14.5.24.5.2-servicing-27114-054.5.3

NuGet/System.Net.Security

Fix 4.0.1, 4.3.1

Introduced 4.0.0, 4.3.0

2 affected versions

4.0.04.3.0

NuGet/System.Net.WebSockets.Client

Fix 4.0.1, 4.3.1

Introduced 4.0.0, 4.3.0

2 affected versions

4.0.04.3.0

NuGet/System.Text.Encodings.Web

Fix 4.0.1, 4.3.1

Introduced 4.0.0, 4.3.0

2 affected versions

4.0.04.3.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes