|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft ASP.NET
Original Issue Date:January 09, 2019
Severity Rating: HIGH
- Microsoft .NET Core 2.1
- Microsoft .NET Core 2.2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.5.2
- Microsoft .NET Framework 4.6
- Microsoft .NET Framework 4.6.1
- Microsoft .NET Framework 4.6.2
- Microsoft .NET Framework 4.7
- Microsoft .NET Framework 4.7.1
- Microsoft .NET Framework 4.7.2
Multiple vulnerabilities have been reported in Microsoft ASP.NET, which could allow an attacker to gain elevated privileges, bypass security restrictions, obtain sensitive information, conduct remote code execution attacks or cause denial of service conditions.
1. Denial of Service Vulnerabilities
These vulnerabilities exist inMicrosoft ASP.NET Core improperly handles web requests. An attacker could exploit these vulnerabilities by specially crafted requests to the .NET Core application.
Successful exploitation of these vulnerabilities could allow the attacker could cause a denial of service condition against an ASP.NET Core web application.
2. NET Framework Information Disclosure Vulnerability
This vulnerability exist in Microsoft .NET Framework and .NET Core which could allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker could exploit this vulnerability by enforcing CORS configuration to prevent its bypass.
Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information on the targeted system.
Apply appropriate fix as mentioned in Microsoft Security Advisory
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003