Lucene search

GitHub Advisory DatabaseGHSA-J8F4-2W4P-MHJC

HistoryOct 16, 2018 - 7:57 p.m.

Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc

2018-10-1619:57:48

CWE-20

GitHub Advisory Database

github.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

44.0%

JSON

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Affected configurations

Vulners

Node

microsoftaspnetcore.mvc.webapicompatshimRange1.1.0–1.1.3

microsoftaspnetcore.mvc.webapicompatshimRange1.0.0–1.0.4

microsoftaspnetcore.mvc.viewfeaturesRange1.1.0–1.1.3

microsoftaspnetcore.mvc.viewfeaturesRange1.0.0–1.0.4

microsoftaspnetcore.mvc.taghelpersRange1.1.0–1.1.3

microsoftaspnetcore.mvc.taghelpersRange1.0.0–1.0.4

microsoftaspnetcore.mvc.razorRange1.1.0–1.1.3

microsoftaspnetcore.mvc.razorRange1.0.0–1.0.4

microsoftaspnetcore.mvc.razor.hostRange1.1.0–1.1.3

microsoftaspnetcore.mvc.razor.hostRange1.0.0–1.0.4

microsoftaspnetcore.mvc.localizationRange1.1.0–1.1.3

microsoftaspnetcore.mvc.localizationRange1.0.0–1.0.4

microsoftaspnetcore.mvc.formatters.xmlRange1.1.0–1.1.3

microsoftaspnetcore.mvc.formatters.xmlRange1.0.0–1.0.4

microsoftaspnetcore.mvc.formatters.jsonRange1.1.0–1.1.3

microsoftaspnetcore.mvc.formatters.jsonRange1.0.0–1.0.4

microsoftaspnetcore.mvc.dataannotationsRange1.1.0–1.1.3

microsoftaspnetcore.mvc.dataannotationsRange1.0.0–1.0.4

microsoftaspnetcore.mvc.corsRange1.1.0–1.1.3

microsoftaspnetcore.mvc.corsRange1.0.0–1.0.4

microsoftaspnetcore.mvc.apiexplorerRange1.1.0–1.1.3

microsoftaspnetcore.mvc.apiexplorerRange1.0.0–1.0.4

microsoftaspnetcore.mvc.abstractionsRange1.1.0–1.1.3

microsoftaspnetcore.mvc.abstractionsRange1.0.0–1.0.4

system.net.websockets.clientMatch4.3.0

system.net.websockets.clientMatch4.0.0

system.net.securityMatch4.3.0

system.net.securityMatch4.0.0

system.net.http.winhttphandlerMatch4.3.0

system.net.http.winhttphandlerMatch4.0.0

system.text.encodings.webMatch4.3.0

system.text.encodings.webMatch4.0.0

system.net.httpMatch4.3.1

system.net.httpMatch4.1.1

microsoftaspnetcore.mvc.coreRange1.1.0–1.1.3

microsoftaspnetcore.mvc.coreRange1.0.0–1.0.4

microsoftaspnetcore.mvcRange1.1.0–1.1.3

microsoftaspnetcore.mvcRange1.0.0–1.0.4

VendorProductVersionCPE
microsoftaspnetcore.mvc.webapicompatshim*cpe:2.3:a:microsoft:aspnetcore.mvc.webapicompatshim:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.viewfeatures*cpe:2.3:a:microsoft:aspnetcore.mvc.viewfeatures:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.taghelpers*cpe:2.3:a:microsoft:aspnetcore.mvc.taghelpers:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.razor*cpe:2.3:a:microsoft:aspnetcore.mvc.razor:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.razor.host*cpe:2.3:a:microsoft:aspnetcore.mvc.razor.host:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.localization*cpe:2.3:a:microsoft:aspnetcore.mvc.localization:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.formatters.xml*cpe:2.3:a:microsoft:aspnetcore.mvc.formatters.xml:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.formatters.json*cpe:2.3:a:microsoft:aspnetcore.mvc.formatters.json:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.dataannotations*cpe:2.3:a:microsoft:aspnetcore.mvc.dataannotations:*:*:*:*:*:*:*:*
microsoftaspnetcore.mvc.cors*cpe:2.3:a:microsoft:aspnetcore.mvc.cors:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	aspnetcore.mvc.webapicompatshim	*	cpe:2.3:a:microsoft:aspnetcore.mvc.webapicompatshim::::::::
microsoft	aspnetcore.mvc.viewfeatures	*	cpe:2.3:a:microsoft:aspnetcore.mvc.viewfeatures::::::::
microsoft	aspnetcore.mvc.taghelpers	*	cpe:2.3:a:microsoft:aspnetcore.mvc.taghelpers::::::::
microsoft	aspnetcore.mvc.razor	*	cpe:2.3:a:microsoft:aspnetcore.mvc.razor::::::::
microsoft	aspnetcore.mvc.razor.host	*	cpe:2.3:a:microsoft:aspnetcore.mvc.razor.host::::::::
microsoft	aspnetcore.mvc.localization	*	cpe:2.3:a:microsoft:aspnetcore.mvc.localization::::::::
microsoft	aspnetcore.mvc.formatters.xml	*	cpe:2.3:a:microsoft:aspnetcore.mvc.formatters.xml::::::::
microsoft	aspnetcore.mvc.formatters.json	*	cpe:2.3:a:microsoft:aspnetcore.mvc.formatters.json::::::::
microsoft	aspnetcore.mvc.dataannotations	*	cpe:2.3:a:microsoft:aspnetcore.mvc.dataannotations::::::::
microsoft	aspnetcore.mvc.cors	*	cpe:2.3:a:microsoft:aspnetcore.mvc.cors::::::::

Rows per page:

1-10 of 241

References

github.com/advisories/GHSA-j8f4-2w4p-mhjc

github.com/aspnet/Announcements/issues/239

nvd.nist.gov/vuln/detail/CVE-2017-0256

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

44.0%

JSON

Related for GHSA-J8F4-2W4P-MHJC