ASP.NET Core MVC 1.1.0 Vulnerability Guidance

Microsoft's security bulletin describes a security vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to possible denial of service attacks, and issues mitigation guidance.

Microsoft this week issued a security bulletin for a vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to potential denial of service attacks. Microsoft Security Advisor 4010983 specifically notes that it's a publicly known flaw that can affect any project with a "direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0."

According to the bulletin, only projects that target version 1.1.0 are affected, while those targeting "ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not." As is common with these types of flaws, the vulnerability is enabled when using a malformed HTTP request.

MSA 4010983 notes that updating apps to target a more recent 1.1.1 package or any version newer than that will mitigate the DoS issue. It's worth noting that the bulletin defines corrective measures based on whether your app uses direct or transitive dependencies -- based on how apps target ASP.NET Core MVC, developers need to make sure to review their project's dependency type and take steps to update based on that dependency type. Once an app is updated to use the right package, apps should then be republished.

Microsoft's Rich Lander blogs about the update on the .NET blog on MSDN; in it he links to a Red Hat advisory that contains guidance for Red Hat users (but a subscription is required to read it).

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus


  • Entity Framework Core 6: What Developers Want

    Microsoft outlined its plan for Entity Framework Core 6, which in November will take its place as the data access component of the landmark .NET 6, a long-term support (LTS) release that will mark Microsoft's transition from the Windows-only .NET Framework to an open source, cross-platform umbrella offering of all things .NET.

  • AWS Open Sources .NET Porting Assistant GUI

    After previously open sourcing components of its Porting Assistant for .NET, Amazon Web Services open sourced the tool's GUI.

  • .NET Core Ranks High Among Frameworks in New Dev Survey

    .NET Core placed high in a web-dominated ranking of development frameworks published by CodinGame, which provides a tech hiring platform.

  • Here's a One-Stop Shop for .NET 5 Improvements

    Culled from reams of Microsoft documentation, here's a high-level summary of what's new for performance, networking, diagnostics and more, along with links to the nitty-gritty details for those wanting to dig in more.

Upcoming Events