MEDIUM

GHSA-3m2r-q8x3-xmf7

Moderate severity vulnerability that affects Microsoft.AspNetCore.All, Microsoft.AspNetCore.Server.Kestrel.Core, Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions, and Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv

Details

Microsoft made an internal discovery of a security vulnerability in version 2.x of ASP.NET Core where a specially crafted request can cause excess resource consumption in Kestrel.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Microsoft.AspNetCore.Server.Kestrel.Core

Introduced in: 2.0.0 Fixed in: 2.0.3

Fix dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core --version 2.0.3

NuGet / Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions

Introduced in: 2.0.0 Fixed in: 2.0.3

Fix dotnet add package Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions --version 2.0.3

NuGet / Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv

Introduced in: 2.0.0 Fixed in: 2.0.3

Fix dotnet add package Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv --version 2.0.3

NuGet / Microsoft.AspNetCore.All

Introduced in: 2.0.0 Fixed in: 2.0.8

Fix dotnet add package Microsoft.AspNetCore.All --version 2.0.8

References

https://github.com/aspnet/Announcements/issues/300 [WEB]
https://github.com/advisories/GHSA-3m2r-q8x3-xmf7 [ADVISORY]