Authentication Bypass Affecting system.net.http package, versions [,4.1.2) [4.3,4.3.2)

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 0.11% (44^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DOTNET-SYSTEMNETHTTP-60048
published 12 May 2017
disclosed 12 May 2017
credit Mikhail Shcherbakov

Report a new vulnerability Found a mistake?

Introduced: 12 May 2017

CVE-2017-0256 Open this link in a new tab CWE-20 Open this link in a new tab

Overview

The ASP.NET Core fails to properly sanitize the Web Request Handler component, allowing an attacker to spoof web requests and bypass authentication.

References

https://github.com/aspnet/Announcements/issues/239
https://technet.microsoft.com/en-us/library/security/4021279.aspx
https://nvd.nist.gov/vuln/detail/2017-0256