Microsoft Fixes .NET Core Spoofing Vulnerability
Microsoft today (July 9) issued security-and-reliability updates to two .NET Core and .NET Core SDK releases, featuring a spoofing vulnerability fix.
.NET Core 2.1 and 2.2 were updated to fix CVE-2019-1075: ASP.NET Core Spoofing Vulnerability, which states:
A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect. An attacker who successfully exploited the vulnerability could redirect a targeted user to a malicious website.
To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link.
The update addresses the vulnerability by correcting how ASP.NET Core parses URLs.
Specifically, available for download now are:
- .NET Core 2.1.12, including .NET Core 2.1.12, ASP.NET Core 2.1.12 and the .NET Core SDK. Release notes are here.
- .NET Core 2.2.6, including .NET Core 2.2.6, ASP.NET Core 2.2.6 and updates to the .NET Core SDK. Release notes are here.
Corresponding Docker images have also been updated. "Deployment of these updates on Azure App Services has been scheduled and it is expected to complete later in July 2019," Microsoft said.
More information can be found in a GitHub announcement and issue.
David Ramel is the editor of Visual Studio Magazine.