GHSA-ch6p-4jcm-h8vh
GitHub Security Advisory
Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
Affected Packages
NuGet
Microsoft.AspNetCore.Mvc
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Core
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Core
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
System.Net.Http
Affected versions:
4.1.1
(fixed in 4.1.2)
NuGet
System.Net.Http
Affected versions:
4.3.1
(fixed in 4.3.2)
NuGet
System.Text.Encodings.Web
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Text.Encodings.Web
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
System.Net.Http.WinHttpHandler
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.Http.WinHttpHandler
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
System.Net.Security
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.Security
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
System.Net.WebSockets.Client
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.WebSockets.Client
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
Microsoft.AspNetCore.Mvc.Abstractions
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Abstractions
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.ApiExplorer
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.ApiExplorer
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Cors
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Cors
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.DataAnnotations
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.DataAnnotations
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Json
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Json
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Xml
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Xml
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Localization
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Localization
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Razor.Host
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Razor.Host
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Razor
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Razor
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.TagHelpers
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.TagHelpers
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.ViewFeatures
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.ViewFeatures
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.WebApiCompatShim
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.WebApiCompatShim
Affected versions:
1.1.0
(fixed in 1.1.3)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: June 18, 2025 6:25 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.