Denial of Service (DoS)

Affecting microsoft.aspnetcore.websockets package, versions [2.1.0,2.1.7) || [2.2.0,2.2.1)

Overview

Microsoft.AspNetCore.WebSockets is an ASP.NET Core web socket middleware for use on top of opaque servers.

Affected versions of this package are vulnerable to Denial of Service (DoS). An unauthenticated attacker can cause a denial of service remotely, by issuing specially crafted requests to the .NET Core application. This is caused by an improper handling of a web request in ASP.NET Core. This CVE ID is unique from CVE-2019-0548.

Remediation

Upgrade Microsoft.AspNetCore.WebSockets to version 2.1.7, 2.2.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O
Credit
Barry Dorrans
CVE
CVE-2019-0564
CWE
CWE-400
Snyk ID
SNYK-DOTNET-MICROSOFTASPNETCOREWEBSOCKETS-72891
Disclosed
08 Jan, 2019
Published
10 Jan, 2019