Miggo Logo

CVE-2019-0981: Denial of service in ASP.NET Core

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.86433%
CWE
-
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
System.Private.Urinuget>= 4.3.0, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper URI handling in System.Private.Uri. While explicit patch diffs aren't provided, the Microsoft advisory explicitly calls out this package and version range. URI parsing entry points like the constructor and internal parser methods are the most likely candidates. The DoS nature suggests functions involved in expensive parsing operations when processing malicious inputs. Confidence is medium due to lack of direct commit evidence, but grounded in the package's purpose and vulnerability type.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l o* s*rvi** vuln*r**ility *xists w**n .N*T *r*m*work or .N*T *or* improp*rly **n*l* w** r*qu*sts, *k* '.N*t *r*m*work *n* .N*t *or* **ni*l o* S*rvi** Vuln*r**ility'. T*is *V* I* is uniqu* *rom *V*-****-****, *V*-****-****.

Reasoning

T** vuln*r**ility st*ms *rom improp*r URI **n*lin* in `Syst*m.Priv*t*.Uri`. W*il* *xpli*it p*t** *i**s *r*n't provi***, t** Mi*roso*t **visory *xpli*itly **lls out t*is p**k*** *n* v*rsion r*n**. URI p*rsin* *ntry points lik* t** *onstru*tor *n* int*