VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published May 12, 2017· Updated May 13, 2026

CVE-2017-0248

CVE-2017-0248

Description

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.AspNetCore.MvcNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.MvcNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.CoreNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.CoreNuGet
>= 1.1.0, < 1.1.31.1.3
System.Net.HttpNuGet
>= 4.1.1, < 4.1.24.1.2
System.Net.HttpNuGet
>= 4.3.1, < 4.3.24.3.2
System.Text.Encodings.WebNuGet
>= 4.0.0, < 4.0.14.0.1
System.Text.Encodings.WebNuGet
>= 4.3.0, < 4.3.14.3.1
System.Net.Http.WinHttpHandlerNuGet
>= 4.0.0, < 4.0.14.0.1
System.Net.Http.WinHttpHandlerNuGet
>= 4.3.0, < 4.3.14.3.1
System.Net.SecurityNuGet
>= 4.0.0, < 4.0.14.0.1
System.Net.SecurityNuGet
>= 4.3.0, < 4.3.14.3.1
System.Net.WebSockets.ClientNuGet
>= 4.0.0, < 4.0.14.0.1
System.Net.WebSockets.ClientNuGet
>= 4.3.0, < 4.3.14.3.1
Microsoft.AspNetCore.Mvc.AbstractionsNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.AbstractionsNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.CorsNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.CorsNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.LocalizationNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.LocalizationNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.Razor.HostNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.Razor.HostNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.RazorNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.RazorNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.TagHelpersNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.TagHelpersNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet
>= 1.1.0, < 1.1.31.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet
>= 1.0.0, < 1.0.41.0.4
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet
>= 1.1.0, < 1.1.31.1.3

Affected products

9
  • Microsoft/.net Framework8 versions
    cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:4.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:.net_framework:4.7:*:*:*:*:*:*:*
  • Microsoft Corporation/Microsoft .NET Frameworkv5
    Range: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.