Improper input validation in ASP.NET Core MVC

#VU11030 Improper input validation in ASP.NET Core MVC

Published: 2018-03-13 | Updated: 2018-03-13

Vulnerability identifier: #VU11030

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-0875

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
ASP.NET Core MVC
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the way that .NET Core handles specially crafted requests. A remote attacker can send a small number of specially crafted requests to an .NET Core web application, trigger a hash collision and cause performance to degrade significantly enough to cause service crash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ASP.NET Core MVC: 1.0.0 - 2.0

Fixed software versions

CPE

cpe:2.3:a:microsoft:aspnet_core_mvc:1.0.0:*:*:*:*:*:*:*

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0875

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Red Hat update for core

Denial of service in Microsoft PowerShell Core

Multiple vulnerabilities in Microsoft ASP.NET Core