CVE-2017-11770:
Improper Certificate Validation
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93719%
CWE
Published
4/12/2022
Updated
1/11/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
System.Security.Cryptography.X509Certificates | nuget | >= 4.0.0, < 4.1.2 | 4.1.2 |
Microsoft.NETCore.App | nuget | >= 1.0.0, < 2.0.3 | 2.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on improper certificate chain validation leading to DoS. The X509Chain.Build()
method is the primary entry point for certificate chain validation in .NET's cryptography stack. The advisory explicitly mentions infinite X509Chain
recursion as the attack vector, which would manifest in this chain-building function. While no direct patch code is shown, the vulnerability description and affected component (X509Certificates
package) strongly implicate this critical security boundary function as the vulnerable entry point.