ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability".

Affected Packages

NuGet Microsoft.AspNetCore.Mvc.Core

Affected versions: 1.0.0 (fixed in 1.0.6)

NuGet Microsoft.AspNetCore.Mvc.Core

Affected versions: 1.1.0 (fixed in 1.1.6)

NuGet Microsoft.AspNetCore.Mvc.Cors

Affected versions: 1.0.0 (fixed in 1.0.6)

NuGet Microsoft.AspNetCore.Mvc.Cors

Affected versions: 1.1.0 (fixed in 1.1.6)

Related CVEs

CVE-2017-8700

Key Information

GHSA ID

GHSA-3rp6-rjw4-cq39

Published

May 13, 2022 1:47 AM

Last Modified

July 8, 2022 7:22 PM

CVSS Score

7.5 /10

Primary Ecosystem

NuGet

Primary Package

Microsoft.AspNetCore.Mvc.Core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.