CVE-2017-8585

Core: DoS via invalid culture

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Microsoft .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker to send specially crafted requests to a .NET web application, resulting in denial of service, aka .NET Denial of Service Vulnerability.

Microsoft .NET Framework versiones 4.6, 4.6.1, 4.6.2 y 4.7, permiten a un atacante enviar peticiones especialmente creadas a una aplicación web .NET, resultando en una denegación de servicio, también se conoce como vulnerabilidad de denegación de servicio de .NET.

New versions of .NET Core that address several security vulnerabilities are now available. The updated versions are .NET Core 1.0.8, 1.1.5 and 2.0.3. Security Fixes: By providing an invalid culture, an attacker can cause a recursive lookup that leads to a denial of service. Supplying a specially crafted certificate can cause an infinite X509Chain, resulting in a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-05-03 CVE Reserved
2017-07-11 CVE Published
2024-09-16 CVE Updated
2025-04-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
http://www.securityfocus.com/bid/99432	Third Party Advisory
http://www.securitytracker.com/id/1038864	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8585	2017-12-02

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:3248	2017-12-02
https://access.redhat.com/security/cve/CVE-2017-8585	2017-11-20
https://bugzilla.redhat.com/show_bug.cgi?id=1512982	2017-11-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		.net Framework Search vendor "Microsoft" for product ".net Framework"				4.6 Search vendor "Microsoft" for product ".net Framework" and version "4.6"		-		Affected
Microsoft Search vendor "Microsoft"		.net Framework Search vendor "Microsoft" for product ".net Framework"				4.6.1 Search vendor "Microsoft" for product ".net Framework" and version "4.6.1"		-		Affected
Microsoft Search vendor "Microsoft"		.net Framework Search vendor "Microsoft" for product ".net Framework"				4.6.2 Search vendor "Microsoft" for product ".net Framework" and version "4.6.2"		-		Affected
Microsoft Search vendor "Microsoft"		.net Framework Search vendor "Microsoft" for product ".net Framework"				4.7 Search vendor "Microsoft" for product ".net Framework" and version "4.7"		-		Affected