Miggo Logo

CVE-2019-0980: Denial of service in ASP.NET Core

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.86433%
CWE
-
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
System.Private.Urinuget>= 4.3.0, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in URI processing (CWE-19) within System.Private.Uri 4.3.0-4.3.1. Microsoft's advisory explicitly links improper web request handling to URI processing. While exact commit diffs are unavailable, the System.Uri class is central to request parsing in ASP.NET Core. The functions Parse and InitializeUri are core components of URI handling where inefficient processing of crafted inputs would directly enable DoS attacks. The high confidence comes from: 1) Package context (System.Private.Uri), 2) Vulnerability type matching URI processing flaws, and 3) Microsoft's description of request handling corrections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l o* s*rvi** vuln*r**ility *xists w**n .N*T *r*m*work or .N*T *or* improp*rly **n*l* w** r*qu*sts, *k* '.N*t *r*m*work *n* .N*t *or* **ni*l o* S*rvi** Vuln*r**ility'. T*is *V* I* is uniqu* *rom *V*-****-****, *V*-****-****.

Reasoning

T** vuln*r**ility *xists in URI pro**ssin* (*W*-**) wit*in `Syst*m.Priv*t*.Uri` *.*.*-*.*.*. Mi*roso*t's **visory *xpli*itly links improp*r w** r*qu*st **n*lin* to URI pro**ssin*. W*il* *x**t *ommit *i**s *r* un*v*il**l*, t** `Syst*m.Uri` *l*ss is **