CVE-2020-0603: ASP.NET Core Remote Code Execution Vulnerability

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Jan

Released

2020-01-14

Last Updated

2020-05-28

EPSS Score

10.79% (percentile: 93.3%)

Description

A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle client deleted connections. An attacker who successfully exploited the vulnerability could run arbitrary code in memory on the server. Exploitation of the vulnerability requires that a user perform certain actions during the connection process. The security update addresses the vulnerability by correcting how ASP.NET Core handles deleted connections.

Affected Products (3)

Developer Tools

• ASP.NET Core 2.1
• ASP.NET Core 3.0
• ASP.NET Core 3.1

Security Updates (3)

• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Brennan Conroy of Microsoft Corporation

Revision History

• 2020-01-14: Information published.
• 2020-05-28: Updated description to clarify information about the vulnerability. This is an informational change only.