First published: Tue Dec 18 2018(Updated: )
The methods for sending and receiving data on a WebSocket accept a CancellationToken, but previously did not implement actual support for cancellation. Activating the cancellation token would result in a no-op, and would not cancel any in progress operations. This provided a potential avenue for DOS, by tying up connections to a server with WebSocket connections that the server could not cancel.
Credit: secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft ASP.NET Core | =2.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-0564 is a denial of service vulnerability in ASP.NET Core that allows attackers to cause a service outage by sending specially crafted web requests.
CVE-2019-0564 has a severity rating of high, with a CVSS score of 7.5.
ASP.NET Core version 2.1 is affected by CVE-2019-0564.
An attacker can exploit CVE-2019-0564 by sending specially crafted web requests to a vulnerable ASP.NET Core application, causing a denial of service.
Yes, Microsoft has released a security update to address this vulnerability. It is recommended to apply the latest updates for ASP.NET Core.