Vulnerability Description
An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Asp.Net Model View Controller | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Abstractions | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Apiexplorer | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Cors | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Dataannotations | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Formatters.Json | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Formatters.Xml | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Localization | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Razor | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Razor.Host | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Taghelpers | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Viewfeatures | 1.0.0 |
| Microsoft | Microsoft.Aspnetcore.Mvc.Webapicompatshim | 1.0.0 |
| Microsoft | System.Net.Http | 4.1.1 |
| Microsoft | System.Net.Http.Winhttphandler | 4.0.1 |
| Microsoft | System.Net.Security | 4.0.0 |
| Microsoft | System.Net.Websockets.Client | 4.0.0 |
| Microsoft | System.Text.Encodings.Web | 4.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/aspnet/Announcements/issues/239Technical DescriptionThird Party Advisory
- https://github.com/aspnet/Announcements/issues/239Technical DescriptionThird Party Advisory
FAQ
What is CVE-2017-0249?
CVE-2017-0249 is a vulnerability with a CVSS score of 7.3 (HIGH). An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.
How severe is CVE-2017-0249?
CVE-2017-0249 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-0249?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Asp.Net Model View Controller, Microsoft Microsoft.Aspnetcore.Mvc.Abstractions, Microsoft Microsoft.Aspnetcore.Mvc.Apiexplorer, Microsoft Microsoft.Aspnetcore.Mvc.Cors, Microsoft Microsoft.Aspnetcore.Mvc.Dataannotations.