News

.NET Core Update Fixes Denial-of-Service Vulnerability

Microsoft cranked out June 2020 updates to .NET Core 3.1 (and 2.1) to address a denial-of-service (DoS) vulnerability.

Officially, the flaw is called CVE-2020-1108 as listed in the Common Vulnerabilities and Exposures (CVE) system. The updates were announced in a June 9 blog post.

It says:

A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application.

The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests.

"To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1. Customers who use any of these versions of .NET Core should install the latest version of .NET Core. See the Release Notes for the latest version numbers and instructions for updating .NET Core," Microsoft said.

More information and guidance on dealing with the issue can be found in a Microsoft Security Advisory.

It says affected software includes:

  • Any .NET Core 2.1 application running on .NET Core 2.1.18 or lower
  • Any .NET Core 3.1 application running on .NET Core 3.1.4 or lower
  • Any .NET 5 application running on .NET 5 Preview 3 or lower

Yet another related advisory issue was published on May 12.

There was no information about whether the vulnerability was actually exploited.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

  • Visual Studio Takes Aim at Copilot Billing Shock

    Beyond Copilot usage visibility, the June update delivers several other enhancements centered on AI-assisted development, security and quality-of-life improvements. Here's a quick rundown of the remaining additions announced by Microsoft.

  • Claude AI Gets Yet Another Boost in VS Code 1.128

    The July 8, 2026, Visual Studio Code update expands agent workflows, chat attachments, browser-tab controls, OS-level shortcuts and enterprise telemetry management.

  • TypeScript 7 Arrives to Rock VS Code with Go-Powered Speed

    Microsoft says TypeScript 7, announced July 8, brings native Go performance to VS Code, Visual Studio and other editors.

  • Full-Stack with a Side of Copilot: Building and Deploying an App the AI-Accelerated Way

    In this Q&A, developer and VSLive! speaker Esteban Garcia explains how GitHub Copilot can accelerate the full software development lifecycle -- from architecture and code to tests, CI/CD, and Azure deployment -- and how to use it as a repeatable engineering workflow rather than just a faster autocomplete tool.

Subscribe on YouTube