High severity7.3NVD Advisory· Published May 12, 2017· Updated May 13, 2026
CVE-2017-0249
CVE-2017-0249
Description
An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.MvcNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.MvcNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.CoreNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.CoreNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
System.Net.HttpNuGet | >= 4.1.1, < 4.1.2 | 4.1.2 |
System.Net.HttpNuGet | >= 4.3.1, < 4.3.2 | 4.3.2 |
System.Text.Encodings.WebNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Text.Encodings.WebNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.Http.WinHttpHandlerNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.Http.WinHttpHandlerNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.SecurityNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.SecurityNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
System.Net.WebSockets.ClientNuGet | >= 4.0.0, < 4.0.1 | 4.0.1 |
System.Net.WebSockets.ClientNuGet | >= 4.3.0, < 4.3.1 | 4.3.1 |
Microsoft.AspNetCore.Mvc.AbstractionsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.AbstractionsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.CorsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.CorsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.LocalizationNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.LocalizationNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.Razor.HostNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.Razor.HostNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.RazorNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.RazorNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.TagHelpersNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.TagHelpersNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet | >= 1.0.0, < 1.0.4 | 1.0.4 |
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet | >= 1.1.0, < 1.1.3 | 1.1.3 |
DisCatSharpNuGet | <= 9.8.3 | — |
Affected products
1- Microsoft Corporation/ASP.NET Corev5Range: ASP.NET Core
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qhqf-ghgh-x2m4ghsaADVISORY
- github.com/aspnet/Announcements/issues/239nvdTechnical DescriptionThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-0249ghsaADVISORY
- github.com/Aiko-IT-Systems/DisCatSharp/security/advisories/GHSA-wj4j-gr3f-cfh7ghsaWEB
News mentions
0No linked articles in our index yet.