Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory

Microsoft issued security updates for .NET Core while releasing a security advisory about a remote code execution vulnerability.

"Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file," the company said in a July 14 blog post. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

"A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML."

The updates -- .NET Core 2.1.20 and .NET Core 3.1.6 -- restrict the types that are allowed to be present in the XML payload in order to address the vulnerability.

Additional fixes in the release cover a variety of issues in CoreCLR (the runtime for .NET Core), CoreFX (the foundational class libraries for .NET Core) and ASP.NET Core, the web framework.

Getting the update requires downloading .NET Core 3.1.6 and .NET Core SDK and/or .NET Core 2.1.20 and .NET Core SDK,

The fix will be baked in to a future update of the Visual Studio IDE.

More information about the vulnerability can be found in CVE-2020-1147

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus


  • .NET Core Ranks High Among Frameworks in New Dev Survey

    .NET Core placed high in a web-dominated ranking of development frameworks published by CodinGame, which provides a tech hiring platform.

  • Here's a One-Stop Shop for .NET 5 Improvements

    Culled from reams of Microsoft documentation, here's a high-level summary of what's new for performance, networking, diagnostics and more, along with links to the nitty-gritty details for those wanting to dig in more.

  • Azure SQL Database Ranked Among Top 3 Databases of 2020

    Microsoft touted the inclusion of Azure SQL Database among the top three databases of 2020 in a popularity ranking by DB-Engines, which collects and manages information about database management systems, updating its lists monthly.

  • Time Tracker Says VS Code Is No. 1 Editor for Devs, Some Working 15+ Hours Per Day

    WakaTime, which does time tracking for programmers, released data for 2020 showing that Visual Studio Code is by far the top editor/IDE used by its coders, some of whom are hacking away for more than 15 hours per day.

Upcoming Events