7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-0602

CVE-2020-0602: Denial of service in ASP.NET Core

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-0602

CVE-2020-0602:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.AspNetCore.All	nuget	>= 2.1.0, < 2.1.15	2.1.15
Microsoft.AspNetCore.App	nuget	= 3.1.0	3.1.1
Microsoft.AspNetCore.App	nuget	= 3.0.0	3.0.1
Microsoft.AspNetCore.App	nuget	>= 2.1.0, < 2.1.15	2.1.15
Microsoft.AspNetCore.Http.Connections	nuget	>= 1.0.0, < 1.0.15	1.0.15
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 3.1.0, < 3.1.1	3.1.1
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 3.1.0, < 3.1.1	3.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper backpressure management in ASP.NET Core's SignalR component. Key evidence includes:

CVE-2020-0602's description explicitly references SignalR backpressure issues
Red Hat's errata links the vulnerability to dotnet: 'SignalR Denial of Service via backpressure issue'
The Microsoft advisory (aspnet/Announcements#402) specifies Http.Connections package as vulnerable
Backpressure failures in connection management components are classic CWE-400 vectors
HttpConnectionManager and HttpConnectionDispatcher are core SignalR components responsible for connection lifecycle management and request processing

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-0602: Denial of service in ASP.NET Core

CVE-2020-0602:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2020-0602: Denial of service in ASP.NET Core

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI