Risk | High |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-0657 CVE-2019-0613 |
CWE-ID | CWE-451 CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Microsoft .NET Framework Server applications / Frameworks for developing and running applications ASP.NET Core MVC Universal components / Libraries / Software for developers Visual Studio Universal components / Libraries / Software for developers |
Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU17638
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0657
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack.
The vulnerability exists in thev .Net Framework API's and Visual Studio in the way they parse URL's. A remote attacker can provide a URL string to an application that attempts to verify that the URL belongs to a specific hostname or to a subdomain of that hostname, bypass security logic intended to ensure that a user-provided URL belonged to a specific hostname or a subdomain of that hostname to cause privileged communication to be made to an untrusted service as if it was a trusted service.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: 2.0 - 4.7.2
ASP.NET Core MVC: 1.0.0 - 2.2
Visual Studio: 15.0 26228.04 - 15.9
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0657
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17640
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0613
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in .NET Framework and Visual Studio software when the software fails to check the source markup of a file. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: 2.0 - 4.7.2
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0613
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.