ASP.NET Core MVC 1.1.0 Vulnerability Guidance

Microsoft's security bulletin describes a security vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to possible denial of service attacks, and issues mitigation guidance.

Microsoft this week issued a security bulletin for a vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to potential denial of service attacks. Microsoft Security Advisor 4010983 specifically notes that it's a publicly known flaw that can affect any project with a "direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0."

According to the bulletin, only projects that target version 1.1.0 are affected, while those targeting "ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not." As is common with these types of flaws, the vulnerability is enabled when using a malformed HTTP request.

MSA 4010983 notes that updating apps to target a more recent 1.1.1 package or any version newer than that will mitigate the DoS issue. It's worth noting that the bulletin defines corrective measures based on whether your app uses direct or transitive dependencies -- based on how apps target ASP.NET Core MVC, developers need to make sure to review their project's dependency type and take steps to update based on that dependency type. Once an app is updated to use the right package, apps should then be republished.

Microsoft's Rich Lander blogs about the update on the .NET blog on MSDN; in it he links to a Red Hat advisory that contains guidance for Red Hat users (but a subscription is required to read it).

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus


  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

  • Speed Lines Graphic

    New for Blazor: Azure Static Web Apps Support

    With Blazor taking the .NET web development world by storm, one of the first announcements during Microsoft's Ignite 2020 developer/IT event was its new support in Azure Static Web Apps.

  • Entity Framework Core 5 RC1 Is Feature Complete, Ready for Production

    The first release candidate for Entity Framework 5 -- Microsoft's object-database mapper for .NET -- has shipped with a go live license, ready for production.

Upcoming Events