Miggo Logo

CVE-2017-11883: Denial of service in ASP.NET Core

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.94461%
CWE
-
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.AspNetCore.Server.WebListenernuget>= 1.0.0, < 1.0.61.0.6
Microsoft.AspNetCore.Server.WebListenernuget>= 1.1.0, < 1.1.41.1.4
Microsoft.Net.Http.Servernuget>= 1.0.0, < 1.0.61.0.6
Microsoft.Net.Http.Servernuget>= 1.1.0, < 1.1.41.1.4
Microsoft.AspNetCore.Server.HttpSysnuget>= 2.0.0, < 2.0.22.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information (CVE-2017-11883) describes a denial-of-service issue in ASP.NET Core's HTTP request handling when using the HttpSys/WebListener server. However, the available data (advisories, NVD entries, and Microsoft's announcement) do not explicitly name specific functions or methods responsible for the vulnerability. The root cause is attributed to improper request processing logic in the affected packages (Microsoft.AspNetCore.Server.WebListener, Microsoft.Net.Http.Server, and Microsoft.AspNetCore.Server.HttpSys), but without access to commit diffs, patch details, or code examples, it is impossible to identify exact functions with high confidence. The vulnerability likely stems from low-level HTTP request parsing or resource management in the HttpSys infrastructure, but no function names or file paths are disclosed in the provided sources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

.N*T *or* *.*, *.*, *n* *.* *llow *n un*ut**nti**t** *tt**k*r to r*mot*ly **us* * **ni*l o* s*rvi** *tt**k ***inst * .N*T *or* w** *ppli**tion *y improp*rly **n*lin* w** r*qu*sts, *k* ".N*T *OR* **ni*l O* S*rvi** Vuln*r**ility".

Reasoning

T** provi*** vuln*r**ility in*orm*tion (*V*-****-*****) **s*ri**s * **ni*l-o*-s*rvi** issu* in *SP.N*T *or*'s *TTP r*qu*st **n*lin* w**n usin* t** `*ttpSys`/`W**List*n*r` s*rv*r. *ow*v*r, t** *v*il**l* **t* (**visori*s, NV* *ntri*s, *n* Mi*roso*t's *