ghsa-ch6p-4jcm-h8vh
Vulnerability from github
Published
2018-10-16 19:58
Modified
2024-02-28 23:01
Summary
Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core
Details
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
{ "affected": [ { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Core" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Core" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Http" }, "ranges": [ { "events": [ { "introduced": "4.1.1" }, { "fixed": "4.1.2" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.1.1" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Http" }, "ranges": [ { "events": [ { "introduced": "4.3.1" }, { "fixed": "4.3.2" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.3.1" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Text.Encodings.Web" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.0.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Text.Encodings.Web" }, "ranges": [ { "events": [ { "introduced": "4.3.0" }, { "fixed": "4.3.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.3.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Http.WinHttpHandler" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.0.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Http.WinHttpHandler" }, "ranges": [ { "events": [ { "introduced": "4.3.0" }, { "fixed": "4.3.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.3.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Security" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.0.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.Security" }, "ranges": [ { "events": [ { "introduced": "4.3.0" }, { "fixed": "4.3.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.3.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.WebSockets.Client" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.0.0" ] }, { "package": { "ecosystem": "NuGet", "name": "System.Net.WebSockets.Client" }, "ranges": [ { "events": [ { "introduced": "4.3.0" }, { "fixed": "4.3.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "4.3.0" ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Abstractions" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Abstractions" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.ApiExplorer" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.ApiExplorer" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Cors" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Cors" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.DataAnnotations" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.DataAnnotations" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Formatters.Json" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Formatters.Json" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Formatters.Xml" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Formatters.Xml" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Localization" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Localization" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Razor.Host" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Razor.Host" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Razor" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.Razor" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.TagHelpers" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.TagHelpers" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.ViewFeatures" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.ViewFeatures" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.WebApiCompatShim" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.AspNetCore.Mvc.WebApiCompatShim" }, "ranges": [ { "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2017-0248" ], "database_specific": { "cwe_ids": [ "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:31:44Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"", "id": "GHSA-ch6p-4jcm-h8vh", "modified": "2024-02-28T23:01:55Z", "published": "2018-10-16T19:58:52Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0248" }, { "type": "WEB", "url": "https://github.com/aspnet/Announcements/issues/239" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-ch6p-4jcm-h8vh" }, { "type": "WEB", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248" } ], "schema_version": "1.4.0", "severity": [], "summary": "Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core" }
Loading...