High severity7.5NVD Advisory· Published May 12, 2017· Updated Jun 17, 2026
CVE-2017-0248
CVE-2017-0248
Description
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.MvcNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.MvcNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.CoreNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.CoreNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
System.Net.HttpNuGet | >= 4.1.1, < 4.1.2 | 4.1.2 |
System.Net.HttpNuGet | >= 4.3.1, < 4.3.2 | 4.3.2 |
System.Text.Encodings.WebNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Text.Encodings.WebNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.Http.WinHttpHandlerNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.Http.WinHttpHandlerNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.SecurityNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.SecurityNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.WebSockets.ClientNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.WebSockets.ClientNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
Microsoft.AspNetCore.Mvc.AbstractionsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.AbstractionsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.CorsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.CorsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.LocalizationNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.LocalizationNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Razor.HostNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Razor.HostNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.RazorNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.RazorNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.TagHelpersNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.TagHelpersNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Affected products
28cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.7:*:*:*:*:*:*:*
- ghsa-coords19 versionspkg:nuget/microsoft.aspnetcore.mvcpkg:nuget/microsoft.aspnetcore.mvc.abstractionspkg:nuget/microsoft.aspnetcore.mvc.apiexplorerpkg:nuget/microsoft.aspnetcore.mvc.corepkg:nuget/microsoft.aspnetcore.mvc.corspkg:nuget/microsoft.aspnetcore.mvc.dataannotationspkg:nuget/microsoft.aspnetcore.mvc.formatters.jsonpkg:nuget/microsoft.aspnetcore.mvc.formatters.xmlpkg:nuget/microsoft.aspnetcore.mvc.localizationpkg:nuget/microsoft.aspnetcore.mvc.razorpkg:nuget/microsoft.aspnetcore.mvc.razor.hostpkg:nuget/microsoft.aspnetcore.mvc.taghelperspkg:nuget/microsoft.aspnetcore.mvc.viewfeaturespkg:nuget/microsoft.aspnetcore.mvc.webapicompatshimpkg:nuget/system.net.httppkg:nuget/system.net.http.winhttphandlerpkg:nuget/system.net.securitypkg:nuget/system.net.websockets.clientpkg:nuget/system.text.encodings.web
>= 1.0.0, < 1.0.4+ 18 more
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 1.0.0, < 1.0.4
- (no CPE)range: >= 4.1.1, < 4.1.2
- (no CPE)range: >= 4.0.0, < 4.0.1
- (no CPE)range: >= 4.0.0, < 4.0.1
- (no CPE)range: >= 4.0.0, < 4.0.1
- (no CPE)range: >= 4.0.0, < 4.0.1
- Microsoft Corporation/Microsoft .NET Frameworkv5Range: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
Patches
Vulnerability mechanics
References
6- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248nvdPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/98117nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-ch6p-4jcm-h8vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-0248ghsaADVISORY
- github.com/aspnet/Announcements/issues/239ghsaWEB
- www.securitytracker.com/id/1038458nvd
News mentions
0No linked articles in our index yet.