SCA: security update for microsoft.aspnetcore.mvc, microsoft.aspnetcore.mvc.abstractions, microsoft.aspnetcore.mvc.apiexplorer, microsoft.aspnetcore.mvc.core, microsoft.aspnetcore.mvc.cors, microsoft.aspnetcore.mvc.dataannotations, microsoft.aspnetcore.mvc.formatters.json, microsoft.aspnetcore.mvc.formatters.xml, microsoft.aspnetcore.mvc.localization, microsoft.aspnetcore.mvc.razor, microsoft.aspnetcore.mvc.razor.host, microsoft.aspnetcore.mvc.taghelpers, microsoft.aspnetcore.mvc.viewfeatures, microsoft.aspnetcore.mvc.webapicompatshim, system.net.http, system.net.http.winhttphandler, system.net.security, system.net.websockets.client, system.text.encodings.web (GHSA-6xh7-4v2w-36q6)

high Tenable Self-Hosted Container Security Plugin ID 422470

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests.
NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore
function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3
allows remote attackers to cause a denial of service by leveraging failure to properly calculate the
length of 4-byte characters in the Unicode Non-Character range. (CVE-2017-0247)

See Also

https://github.com/advisories/GHSA-6xh7-4v2w-36q6

Plugin Details

Severity: High

ID: 422470

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-0247

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/16/2018

Vulnerability Publication Date: 5/10/2017

Reference Information

CVE: CVE-2017-0247

BID: 98116

cwe: CWE-20