Moderate severity vulnerability that affects Microsoft.AspNetCore.All, Microsoft.AspNetCore.Server.Kestrel.Core, Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions, and Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv

Microsoft made an internal discovery of a security vulnerability in version 2.x of ASP.NET Core where a specially crafted request can cause excess resource consumption in Kestrel.

Published: Oct 16, 2018
Updated: Apr 14, 2023
GHSA: GHSA-3m2r-q8x3-xmf7
Severity: Medium
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
Microsoft.AspNetCore.Server.Kestrel.Core	2.0.0	2.0.3
Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions	2.0.0	2.0.3
Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv	2.0.0	2.0.3
Microsoft.AspNetCore.All	2.0.0	2.0.8

https://github.com/aspnet/Announcements/issues/300

Vulnerability Database

289,599

Moderate severity vulnerability that affects Microsoft.AspNetCore.All, Microsoft.AspNetCore.Server.Kestrel.Core, Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions, and Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv