Medium severity5.3NVD Advisory· Published May 12, 2017· Updated May 13, 2026

CVE-2017-0256

Description

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.AspNetCore.MvcNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.MvcNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.CoreNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.CoreNuGet	>= 1.1.0, < 1.1.3	1.1.3
System.Net.HttpNuGet	>= 4.1.1, < 4.1.2	4.1.2
System.Net.HttpNuGet	>= 4.3.1, < 4.3.2	4.3.2
System.Text.Encodings.WebNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Text.Encodings.WebNuGet	>= 4.3.0, < 4.3.1	4.3.1
System.Net.Http.WinHttpHandlerNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.Http.WinHttpHandlerNuGet	>= 4.3.0, < 4.3.1	4.3.1
System.Net.SecurityNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.SecurityNuGet	>= 4.3.0, < 4.3.1	4.3.1
System.Net.WebSockets.ClientNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.WebSockets.ClientNuGet	>= 4.3.0, < 4.3.1	4.3.1
Microsoft.AspNetCore.Mvc.AbstractionsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.AbstractionsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.CorsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.CorsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.LocalizationNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.LocalizationNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Razor.HostNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Razor.HostNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.RazorNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.RazorNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.TagHelpersNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.TagHelpersNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet	>= 1.1.0, < 1.1.3	1.1.3

Affected products

102

Microsoft/Asp.net Model View Controller7 versions
cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.2:*:*:*:*:*:*:*
Microsoft/Microsoft.aspnetcore.mvc.abstractions7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.apiexplorer7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.cors7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.dataannotations7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.formatters.JSON7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.formatters.XML7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.localization7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.razor7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.razor.host7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.taghelpers7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.viewfeatures7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.webapicompatshim7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/System.net.HTTP2 versions
cpe:2.3:a:microsoft:system.net.http:4.1.1:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.http:4.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.http:4.3.1:*:*:*:*:asp.net:*:*
Microsoft/System.net.HTTP.winhttphandler2 versions
cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.0.1:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.net.security2 versions
cpe:2.3:a:microsoft:system.net.security:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.security:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.security:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.net.websockets.client2 versions
cpe:2.3:a:microsoft:system.net.websockets.client:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.websockets.client:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.websockets.client:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.text.encodings.web2 versions
cpe:2.3:a:microsoft:system.text.encodings.web:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.text.encodings.web:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.text.encodings.web:4.3.0:*:*:*:*:asp.net:*:*
Microsoft Corporation/ASP.NET Corev5
Range: ASP.NET Core

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-j8f4-2w4p-mhjcghsaADVISORY
github.com/aspnet/Announcements/issues/239nvdTechnical DescriptionThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-0256ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000