SB2017111420 - Multiple vulnerabilities in Microsoft ASP.NET Core

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017111420

SB2017111420 - Multiple vulnerabilities in Microsoft ASP.NET Core

Published: November 14, 2017

Security Bulletin ID SB2017111420
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2017-11883)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of web requests by ASP.NET Core. A remote attacker can issue specially crafted requests to the .NET Core application and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.


2) Open redirect (CVE-ID: CVE-2017-11879)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to insufficient sanitization of untrusted input data when performing redirects to external websites. A remote attacker can create a specially crafted URL,  redirect users to the malicious websites and gain system privileges.

3) Security restrictions bypass (CVE-ID: CVE-2017-8700)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper access control. A remote attacker can bypass Cross-origin Resource Sharing (CORS) configurations and retrieve restricted content from a web application.


4) Improper input validation (CVE-ID: CVE-2017-11770)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of parsing certificate data by .NET Core. A remote attacker can provide a specially crafted certificate to the .NET Core application and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


Remediation

Install update from vendor's website.

References