MEDIUM

GHSA-cgpw-2gph-2r9g

Moderate severity vulnerability that affects Microsoft.AspNetCore.All, Microsoft.AspNetCore.App, and Microsoft.AspNetCore.Server.Kestrel.Core

Details

Microsoft is aware of a denial of service vulnerability in ASP.NET Core when a malformed request is terminated. An attacker who successfully exploited this vulnerability could cause a denial of service attack.

The update addresses the vulnerability by correcting how ASP.NET Core handles such requests.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Microsoft.AspNetCore.Server.Kestrel.Core

Introduced in: 2.0.0 Fixed in: 2.0.4

Fix dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core --version 2.0.4

NuGet / Microsoft.AspNetCore.All

Introduced in: 2.0.0 Fixed in: 2.0.9

Fix dotnet add package Microsoft.AspNetCore.All --version 2.0.9

NuGet / Microsoft.AspNetCore.App

Introduced in: 2.1.0 Fixed in: 2.1.2

Fix dotnet add package Microsoft.AspNetCore.App --version 2.1.2

NuGet / Microsoft.AspNetCore.Server.Kestrel.Core

Introduced in: 2.1.0 Fixed in: 2.1.2

Fix dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core --version 2.1.2

NuGet / Microsoft.AspNetCore.All

Introduced in: 2.1.0 Fixed in: 2.1.2

Fix dotnet add package Microsoft.AspNetCore.All --version 2.1.2

References

https://github.com/aspnet/Announcements/issues/311 [WEB]
https://github.com/advisories/GHSA-cgpw-2gph-2r9g [ADVISORY]