Remote DoS in ASP.NET Core MVC



Published: 2017-01-30
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		ASP.NET Core MVC
Universal components / Libraries / Software for developers

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper input validation

EUVDB-ID: #VU5506

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause denial of service.

The vulnerability exists due to improper input validation when processing HTTP requests within Microsoft.AspNetCore.Mvc.Core. A remote attacker can send a specially crafted HTTP request to affected web service and cause denial of service (DoS).

Successful exploitation of the vulnerability may allow an attacker to perform denial of service attacks.

Mitigation

Update ASP.NET Core MVC to version 1.1.1

Vulnerable software versions

ASP.NET Core MVC: 1.0.0 - 1.1.0

External links

http://technet.microsoft.com/en-us/library/security/4010983.aspx


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###