Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory

Microsoft issued security updates for .NET Core while releasing a security advisory about a remote code execution vulnerability.

"Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file," the company said in a July 14 blog post. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

"A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML."

The updates -- .NET Core 2.1.20 and .NET Core 3.1.6 -- restrict the types that are allowed to be present in the XML payload in order to address the vulnerability.

Additional fixes in the release cover a variety of issues in CoreCLR (the runtime for .NET Core), CoreFX (the foundational class libraries for .NET Core) and ASP.NET Core, the web framework.

Getting the update requires downloading .NET Core 3.1.6 and .NET Core SDK and/or .NET Core 2.1.20 and .NET Core SDK,

The fix will be baked in to a future update of the Visual Studio IDE.

More information about the vulnerability can be found in CVE-2020-1147

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus


  • VS Code Python Tool Does Multiple Interactive Windows

    Code cells from Python scripts by default will still be executed in a same interactive window, but developers can now configure the Python extension to run separate files in separate interactive windows.

  • VS Code Java Team Improves 'Getting Started' Experience

    Microsoft's dev team responsible for the Java on Visual Studio Code extensions released a new update that eases the "getting started" experience, addressing feedback from new users who want an easier onramp.

  • Data Prep for Machine Learning: Encoding

    Dr. James McCaffrey of Microsoft Research uses a full code program and screenshots to explain how to programmatically encode categorical data for use with a machine learning prediction model such as a neural network classification or regression system.

  • Surface Duo Debut Presents Dual-Screen Dev Challenges

    Microsoft officially launched its new dual-screen Android device, Surface Duo, presenting new challenges -- and opportunities -- for developers to leverage the new form factor.

  • What's New in Blazor Tooling Updates

    Here's a quick look at what four major third-party Blazor tooling vendors have offered lately for Microsoft's red-hot project that allows for web development with C# instead of JavaScript.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events