Microsoft Fixes .NET Core Spoofing Vulnerability

Microsoft today (July 9) issued security-and-reliability updates to two .NET Core and .NET Core SDK releases, featuring a spoofing vulnerability fix.

.NET Core 2.1 and 2.2 were updated to fix CVE-2019-1075: ASP.NET Core Spoofing Vulnerability, which states:

A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect. An attacker who successfully exploited the vulnerability could redirect a targeted user to a malicious website.

To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link.

The update addresses the vulnerability by correcting how ASP.NET Core parses URLs.

Specifically, available for download now are:

  • .NET Core 2.1.12, including .NET Core 2.1.12, ASP.NET Core 2.1.12 and the .NET Core SDK. Release notes are here.
  • .NET Core 2.2.6, including .NET Core 2.2.6, ASP.NET Core 2.2.6 and updates to the .NET Core SDK. Release notes are here.

Corresponding Docker images have also been updated. "Deployment of these updates on Azure App Services has been scheduled and it is expected to complete later in July 2019," Microsoft said.

More information can be found in a GitHub announcement and issue.

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus


  • Python in VS Code Adds Data Viewer for Debugging

    The January 2021 update to the Python Extension for Visual Studio Code is out with a short list of new features headed by a data viewer used while debugging.

  • GitHub Ships Enterprise Server 3.0 Release Candidate

    It's described as "the biggest ever change to Enterprise Server," with improvements to Actions, Packages, mobile, security and more.

  • Attacks on .NET Apps Grow in Number, Severity, Says Security Firm

    .NET apps were found to have more serious vulnerabilities and suffer more attacks last year, according to data gathered by Contrast Labs.

  • Microsoft Opens Up Old Win32 APIs to C# and Rust, More Languages to Come

    Microsoft is opening up old Win32 APIs long used for 32-bit Windows programming, letting coders use languages of their choice instead of the default C/C++ option.

Upcoming Events