CVE-2017-0248 - High Severity Vulnerability
Vulnerable Library - system.net.http.4.3.1.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Library home page: https://api.nuget.org/packages/system.net.http.4.3.1.nupkg
Path to dependency file: /Integrations/Google/UiPath.Google/UiPath.Google.csproj
Path to vulnerable library: /tmp/ws-ua_20230620162214_SSRFPG/dotnet_EGMXVM/20230620162214/System.Net.Http.4.3.1/System.Net.Http.4.3.1.nupkg
Dependency Hierarchy:
- ❌ system.net.http.4.3.1.nupkg (Vulnerable Library)
Found in HEAD commit: 0c6513d8fe51047cbb7f6a41f2c1a1a25712e96a
Found in base branch: develop
Vulnerability Details
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
Publish Date: 2017-05-12
URL: CVE-2017-0248
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ch6p-4jcm-h8vh
Release Date: 2017-05-12
Fix Resolution: microsoft.aspnetcore.mvc.viewfeatures - 1.0.4,microsoft.aspnetcore.mvc.razor.host - 1.0.4,microsoft.aspnetcore.mvc.viewfeatures - 1.1.3,microsoft.aspnetcore.mvc.formatters.xml - 1.0.4,microsoft.aspnetcore.mvc.apiexplorer - 1.1.3,microsoft.aspnetcore.mvc.taghelpers - 1.1.3,microsoft.aspnetcore.mvc.localization - 1.0.4,system.net.http.winhttphandler - 4.3.1,microsoft.aspnetcore.mvc.taghelpers - 1.0.4,system.net.security - 4.0.1,microsoft.aspnetcore.mvc.core - 1.0.4,microsoft.aspnetcore.mvc.apiexplorer - 1.0.4,system.net.http - 4.1.2,microsoft.aspnetcore.mvc.abstractions - 1.1.3,microsoft.aspnetcore.mvc.razor.host - 1.1.3,microsoft.aspnetcore.mvc.cors - 1.1.3,microsoft.aspnetcore.mvc.core - 1.1.3,microsoft.aspnetcore.mvc.formatters.xml - 1.1.3,microsoft.aspnetcore.mvc.abstractions - 1.0.4,microsoft.aspnetcore.mvc.formatters.json - 1.1.3,system.net.http.winhttphandler - 4.0.1,microsoft.aspnetcore.mvc.razor - 1.1.3,system.text.encodings.web - 4.0.1,microsoft.aspnetcore.mvc - 1.0.4,microsoft.aspnetcore.mvc - 1.1.3,microsoft.aspnetcore.mvc.webapicompatshim - 1.1.3,microsoft.aspnetcore.mvc.razor - 1.0.4,system.net.security - 4.3.1,system.net.websockets.client - 4.3.1,microsoft.aspnetcore.mvc.dataannotations - 1.0.4,system.text.encodings.web - 4.3.1,system.net.http - 4.3.2,microsoft.aspnetcore.mvc.formatters.json - 1.0.4,microsoft.aspnetcore.mvc.webapicompatshim - 1.0.4,microsoft.aspnetcore.mvc.dataannotations - 1.1.3,microsoft.aspnetcore.mvc.cors - 1.0.4,microsoft.aspnetcore.mvc.localization - 1.1.3,system.net.websockets.client - 4.0.1
CVE-2017-0248 - High Severity Vulnerability
Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Library home page: https://api.nuget.org/packages/system.net.http.4.3.1.nupkg
Path to dependency file: /Integrations/Google/UiPath.Google/UiPath.Google.csproj
Path to vulnerable library: /tmp/ws-ua_20230620162214_SSRFPG/dotnet_EGMXVM/20230620162214/System.Net.Http.4.3.1/System.Net.Http.4.3.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: 0c6513d8fe51047cbb7f6a41f2c1a1a25712e96a
Found in base branch: develop
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
Publish Date: 2017-05-12
URL: CVE-2017-0248
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-ch6p-4jcm-h8vh
Release Date: 2017-05-12
Fix Resolution: microsoft.aspnetcore.mvc.viewfeatures - 1.0.4,microsoft.aspnetcore.mvc.razor.host - 1.0.4,microsoft.aspnetcore.mvc.viewfeatures - 1.1.3,microsoft.aspnetcore.mvc.formatters.xml - 1.0.4,microsoft.aspnetcore.mvc.apiexplorer - 1.1.3,microsoft.aspnetcore.mvc.taghelpers - 1.1.3,microsoft.aspnetcore.mvc.localization - 1.0.4,system.net.http.winhttphandler - 4.3.1,microsoft.aspnetcore.mvc.taghelpers - 1.0.4,system.net.security - 4.0.1,microsoft.aspnetcore.mvc.core - 1.0.4,microsoft.aspnetcore.mvc.apiexplorer - 1.0.4,system.net.http - 4.1.2,microsoft.aspnetcore.mvc.abstractions - 1.1.3,microsoft.aspnetcore.mvc.razor.host - 1.1.3,microsoft.aspnetcore.mvc.cors - 1.1.3,microsoft.aspnetcore.mvc.core - 1.1.3,microsoft.aspnetcore.mvc.formatters.xml - 1.1.3,microsoft.aspnetcore.mvc.abstractions - 1.0.4,microsoft.aspnetcore.mvc.formatters.json - 1.1.3,system.net.http.winhttphandler - 4.0.1,microsoft.aspnetcore.mvc.razor - 1.1.3,system.text.encodings.web - 4.0.1,microsoft.aspnetcore.mvc - 1.0.4,microsoft.aspnetcore.mvc - 1.1.3,microsoft.aspnetcore.mvc.webapicompatshim - 1.1.3,microsoft.aspnetcore.mvc.razor - 1.0.4,system.net.security - 4.3.1,system.net.websockets.client - 4.3.1,microsoft.aspnetcore.mvc.dataannotations - 1.0.4,system.text.encodings.web - 4.3.1,system.net.http - 4.3.2,microsoft.aspnetcore.mvc.formatters.json - 1.0.4,microsoft.aspnetcore.mvc.webapicompatshim - 1.0.4,microsoft.aspnetcore.mvc.dataannotations - 1.1.3,microsoft.aspnetcore.mvc.cors - 1.0.4,microsoft.aspnetcore.mvc.localization - 1.1.3,system.net.websockets.client - 4.0.1