#VU11027 Improper input validation in ASP.NET Core MVC - CVE-2018-0808

Cybersecurity Help s.r.o.

Published: 2018-03-13 | Updated: 2018-03-13

Vulnerability identifier: #VU11027

Vulnerability risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-0808

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ASP.NET Core MVC
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error in ASP.NET Core when handling malicious web requests. A remote attacker can issue specially crafted requests to the .NET Core application and cause a denial of service against an ASP.NET Core web application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ASP.NET Core MVC: 2.0

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0808

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft ASP.NET Core