CVE-2017-0248

Description

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

How to fix CVE-2017-0248

To remediate CVE-2017-0248, upgrade the affected package to a fixed version below.

• NuGet/Microsoft.AspNetCore.Mvc—upgrade to 1.0.4 or later
• NuGet/Microsoft.AspNetCore.Mvc.Abstractions—upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 1.0.4 or later
• —upgrade to 4.1.2 or later
• —upgrade to 4.0.1 or later
• —upgrade to 4.0.1 or later
• —upgrade to 4.0.1 or later
• —upgrade to 4.0.1 or later

Is CVE-2017-0248 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (19)

• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4
• >= 1.0.0, < 1.0.4

References (4)

• ADVISORYgithub.com/advisories/GHSA-ch6p-4jcm-h8vh
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-0248
• WEBgithub.com/aspnet/Announcements/issues/239
• WEBportal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248