ID

VAR-201705-3317


CVE

CVE-2017-0256


TITLE

Microsoft ASP.NET Core Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003295

DESCRIPTION

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests. Microsoft ASP.NET Core Contains an input validation vulnerability.Information may be tampered with. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to forge requests. An attacker can exploit this issue to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible

Trust: 3.06

sources: NVD: CVE-2017-0256 // JVNDB: JVNDB-2017-003295 // CNVD: CNVD-2017-08173 // CNNVD: CNNVD-201705-735 // BID: 98290 // VULMON: CVE-2017-0256

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-08173

AFFECTED PRODUCTS

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.0.2

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.1.0

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.1.1

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.1.2

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.1.1

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.0.0

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.0.3

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.0.1

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.1.0

Trust: 1.6

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.0.3

Trust: 1.6

vendor:microsoftmodel:system.net.http.winhttphandlerscope:eqversion:4.3.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.webapicompatshimscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:system.net.http.winhttphandlerscope:eqversion:4.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:system.text.encodings.webscope:eqversion:4.0.0

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:system.text.encodings.webscope:eqversion:4.3.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:system.net.securityscope:eqversion:4.0.0

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:system.net.httpscope:eqversion:4.1.1

Trust: 1.0

vendor:microsoftmodel:system.net.websockets.clientscope:eqversion:4.0.0

Trust: 1.0

vendor:microsoftmodel:system.net.securityscope:eqversion:4.3.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:system.net.websockets.clientscope:eqversion:4.3.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razorscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.dataannotationsscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.abstractionsscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:asp.net model view controllerscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.jsonscope:eqversion:1.1.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.0.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.razor.hostscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.apiexplorerscope:eqversion:1.1.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.corsscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:system.net.httpscope:eqversion:4.3.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.taghelpersscope:eqversion:1.1.2

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.viewfeaturesscope:eqversion:1.0.1

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.localizationscope:eqversion:1.0.0

Trust: 1.0

vendor:microsoftmodel:microsoft.aspnetcore.mvc.formatters.xmlscope:eqversion:1.0.3

Trust: 1.0

vendor:microsoftmodel:asp.netscope:eqversion:core

Trust: 0.8

vendor:microsoftmodel:asp.netscope: - version: -

Trust: 0.6

vendor:microsoftmodel:asp.netscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2017-08173 // BID: 98290 // JVNDB: JVNDB-2017-003295 // CNNVD: CNNVD-201705-735 // NVD: CVE-2017-0256

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-0256
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-0256
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-08173
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201705-735
value: MEDIUM

Trust: 0.6

VULMON: CVE-2017-0256
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-0256
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-08173
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-0256
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-08173 // VULMON: CVE-2017-0256 // JVNDB: JVNDB-2017-003295 // CNNVD: CNNVD-201705-735 // NVD: CVE-2017-0256

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2017-003295 // NVD: CVE-2017-0256

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-735

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201705-735

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003295

PATCH

title:Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege #239url:https://github.com/aspnet/Announcements/issues/239

Trust: 0.8

title:Patch for Microsoft ASP.NET Core Spoofing Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/94465

Trust: 0.6

title:Microsoft ASP.NET Core Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70330

Trust: 0.6

title:OssIndexClienturl:https://github.com/SimonCropp/OssIndexClient

Trust: 0.1

title: - url:https://github.com/shiftingleft/dotnet-scm-test

Trust: 0.1

title: - url:https://github.com/jnewman-sonatype/DotNetTest

Trust: 0.1

sources: CNVD: CNVD-2017-08173 // VULMON: CVE-2017-0256 // JVNDB: JVNDB-2017-003295 // CNNVD: CNNVD-201705-735

EXTERNAL IDS

db:NVDid:CVE-2017-0256

Trust: 3.4

db:BIDid:98290

Trust: 1.0

db:JVNDBid:JVNDB-2017-003295

Trust: 0.8

db:CNVDid:CNVD-2017-08173

Trust: 0.6

db:CNNVDid:CNNVD-201705-735

Trust: 0.6

db:VULMONid:CVE-2017-0256

Trust: 0.1

sources: CNVD: CNVD-2017-08173 // VULMON: CVE-2017-0256 // BID: 98290 // JVNDB: JVNDB-2017-003295 // CNNVD: CNNVD-201705-735 // NVD: CVE-2017-0256

REFERENCES

url:https://github.com/aspnet/announcements/issues/239

Trust: 2.6

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0256

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-0256

Trust: 0.8

url:http://www.microsoft.com

Trust: 0.3

url:https://technet.microsoft.com/library/security/4021279.aspx

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://www.securityfocus.com/bid/98290

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/simoncropp/ossindexclient

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=53814

Trust: 0.1

sources: CNVD: CNVD-2017-08173 // VULMON: CVE-2017-0256 // BID: 98290 // JVNDB: JVNDB-2017-003295 // CNNVD: CNNVD-201705-735 // NVD: CVE-2017-0256

CREDITS

Mikhail Shcherbakov

Trust: 0.3

sources: BID: 98290

SOURCES

db:CNVDid:CNVD-2017-08173
db:VULMONid:CVE-2017-0256
db:BIDid:98290
db:JVNDBid:JVNDB-2017-003295
db:CNNVDid:CNNVD-201705-735
db:NVDid:CVE-2017-0256

LAST UPDATE DATE

2024-11-23T22:17:57.475000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-08173date:2017-06-05T00:00:00
db:VULMONid:CVE-2017-0256date:2021-06-30T00:00:00
db:BIDid:98290date:2017-05-23T16:25:00
db:JVNDBid:JVNDB-2017-003295date:2017-05-24T00:00:00
db:CNNVDid:CNNVD-201705-735date:2021-07-01T00:00:00
db:NVDid:CVE-2017-0256date:2024-11-21T03:02:38.197

SOURCES RELEASE DATE

db:CNVDid:CNVD-2017-08173date:2017-06-05T00:00:00
db:VULMONid:CVE-2017-0256date:2017-05-12T00:00:00
db:BIDid:98290date:2017-05-10T00:00:00
db:JVNDBid:JVNDB-2017-003295date:2017-05-24T00:00:00
db:CNNVDid:CNNVD-201705-735date:2017-05-22T00:00:00
db:NVDid:CVE-2017-0256date:2017-05-12T14:29:04.457