PT-2017-10474 · Microsoft · Asp.Net Core Mvc+1

Published

2017-05-12

Updated

2021-06-30

CVE-2017-0247

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions ASP.NET Core Mvc versions prior to 1.0.4 ASP.NET Core Mvc versions 1.1.x prior to 1.1.3

Description A denial of service issue exists due to the failure of ASP.NET Core to properly validate web requests. This is reportedly caused by the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package, which fails to correctly calculate the length of 4-byte characters in the Unicode Non-Character range, allowing remote attackers to cause a denial of service.

Recommendations For ASP.NET Core Mvc versions prior to 1.0.4, update to version 1.0.4 or later. For ASP.NET Core Mvc versions 1.1.x prior to 1.1.3, update to version 1.1.3 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2017-0247

GHSA-6XH7-4V2W-36Q6

Affected Products

Asp.Net Core Mvc

System.Text.Encodings.Web

PT-2017-10474 · Microsoft · Asp.Net Core Mvc+1

CVE-2017-0247

Weakness Enumeration

Related Identifiers

Affected Products

References · 7