CVE-2020-0602: Denial of service in ASP.NET Core
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88129%
CWE
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Microsoft.AspNetCore.All | nuget | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.App | nuget | = 3.1.0 | 3.1.1 |
Microsoft.AspNetCore.App | nuget | = 3.0.0 | 3.0.1 |
Microsoft.AspNetCore.App | nuget | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.Http.Connections | nuget | >= 1.0.0, < 1.0.15 | 1.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-arm | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-arm64 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-x64 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.osx-x64 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-arm | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x64 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x86 | nuget | >= 3.1.0, < 3.1.1 | 3.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper backpressure management in ASP.NET Core's SignalR component. Key evidence includes:
- CVE-2020-0602's description explicitly references SignalR backpressure issues
- Red Hat's errata links the vulnerability to dotnet: 'SignalR Denial of Service via backpressure issue'
- The Microsoft advisory (aspnet/Announcements#402) specifies Http.Connections package as vulnerable
- Backpressure failures in connection management components are classic CWE-400 vectors
- HttpConnectionManager and HttpConnectionDispatcher are core SignalR components responsible for connection lifecycle management and request processing