CVE-2018-0765: Denial of service vulnerability exists when .NET and .NET Core improperly process XML documents
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.90171%
CWE
Published
10/16/2018
Updated
1/9/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
System.Security.Cryptography.Xml | nuget | < 4.4.2 | 4.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CWE-611) stems from improper restriction of XML External Entity references. The affected package, System.Security.Cryptography.Xml
, handles XML encryption and signatures. Functions like DecryptDocument
and CheckSignature
are core to parsing and processing XML in this context. Historical fixes for XXE vulnerabilities in .NET often involve hardening XML parsers by disabling DTDs and external resolvers. These functions are critical points where insecure XML parsing configurations would manifest, aligning with the described denial of service vector. The high confidence stems from the direct correlation between the CWE, the package's purpose, and the typical remediation patterns for XXE in .NET's XML processing components.