CVE-2018-0765

EUVD-2018-0482

09.05.2018, 19:29

A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 92%

Affected Products (NVD)

Vendor	Product	Version
microsoft	.net_core	2.0
microsoft	.net_framework	2.0:sp2
microsoft	.net_framework	3.0:sp2
microsoft	.net_framework	3.5
microsoft	.net_framework	3.5.1
microsoft	.net_framework	4.5.2
microsoft	.net_framework	4.6
microsoft	.net_framework	4.6.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.6
microsoft	.net_framework	4.6.1
microsoft	.net_framework	4.6.2
microsoft	.net_framework	4.6
microsoft	.net_framework	4.6.1
microsoft	.net_framework	4.6.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.1
microsoft	.net_framework	4.7.2
microsoft	.net_framework	4.7
microsoft	.net_framework	4.7.1

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

(x64, x86)	KB4103716
1607 (x64, x86)	KB4103723
1703 (x64, x86)	KB4103731
1709 (x64, x86)	KB4103727
1803 (x64, x86)	KB4103721

Windows 7

Service Pack 1 (x64, x86)	KB4096418
Service Pack 1 (x64, x86)	KB4095874
Service Pack 1 (x64, x86)	KB4096495

Windows 8.1

(x64, x86)	KB4096417
(x64, x86)	KB4095875
(x64, x86)	KB4095876

Windows RT 8.1

All	KB4096417
All	KB4095876

Windows Server

1709 Server Core	KB4103727
1803 Server Core	KB4103721

Windows Server 2008

Service Pack 2 (x64, x86)	KB4095873
Service Pack 2 (x64, x86)	KB4096418
Service Pack 2 (x64, x86)	KB4096495

Windows Server 2008 R2

Service Pack 1 (x64)	KB4095874
Service Pack 1 (x64)	KB4096418
Service Pack 1 (x64)	KB4096495
Service Pack 1 Server Core (x64)	KB4096418
Service Pack 1 Server Core (x64)	KB4095874
Service Pack 1 Server Core (x64)	KB4096495

Windows Server 2012

Server Core	KB4096416
Server Core	KB4095872
Server Core	KB4096494
Standard	KB4096416
Standard	KB4095872
Standard	KB4096494

Windows Server 2012 R2

Server Core	KB4096417
Server Core	KB4095875
Server Core	KB4095876
Standard	KB4096417
Standard	KB4095875
Standard	KB4095876

Windows Server 2016

Server Core	KB4103723
Standard	KB4103723

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

http://www.securityfocus.com/bid/104060

http://www.securitytracker.com/id/1040851

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0765

http://www.securityfocus.com/bid/104060

http://www.securitytracker.com/id/1040851

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0765