CVE-2019-0982: Denial of service in ASP.NET Core
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88626%
CWE
-
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
C#
C#Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Microsoft.AspNetCore.SignalR.Protocols.MessagePack | nuget | >= 1.1.0, < 1.1.5 | 1.1.5 |
| Microsoft.AspNetCore.SignalR.Protocols.MessagePack | nuget | >= 1.0.0, < 1.0.11 | 1.0.11 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability exists in SignalR's MessagePack protocol implementation, which handles web request processing. The advisory specifically mentions improper request handling leading to DoS, and MessagePackHubProtocol is the core component for MessagePack message processing. The ReadMessage method is the primary deserialization entry point where improper input validation would manifest. The patched versions (1.0.11/1.1.5) likely added size limits and validation checks in this deserialization path.