HIGH 7.5

GHSA-3rp6-rjw4-cq39

Cross-origin Resource Sharing bypass in ASP.NET Core

Details

ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability".

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Microsoft.AspNetCore.Mvc.Core

Introduced in: 1.0.0 Fixed in: 1.0.6

Fix dotnet add package Microsoft.AspNetCore.Mvc.Core --version 1.0.6

NuGet / Microsoft.AspNetCore.Mvc.Core

Introduced in: 1.1.0 Fixed in: 1.1.6

Fix dotnet add package Microsoft.AspNetCore.Mvc.Core --version 1.1.6

NuGet / Microsoft.AspNetCore.Mvc.Cors

Introduced in: 1.0.0 Fixed in: 1.0.6

Fix dotnet add package Microsoft.AspNetCore.Mvc.Cors --version 1.0.6

NuGet / Microsoft.AspNetCore.Mvc.Cors

Introduced in: 1.1.0 Fixed in: 1.1.6

Fix dotnet add package Microsoft.AspNetCore.Mvc.Cors --version 1.1.6

References

https://nvd.nist.gov/vuln/detail/CVE-2017-8700 [ADVISORY]
https://github.com/aspnet/Announcements/issues/279 [WEB]
https://github.com/github/advisory-database/issues/302 [WEB]
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700 [WEB]