Miggo Logo
Miggo Vulnerability Database
CVE-2021-1723

CVE-2021-1723: ASP.NET Core and Visual Studio Denial of Service Vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-1723
GHSA ID
GHSA-242j-2gm6-5rwx
EPSS Score
0.87023%
CWE
-
Published
5/24/2022
Updated
10/9/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.AspNetCore.Server.Kestrel.Corenuget< 2.1.252.1.25
Microsoft.AspNetCore.App.Runtime.linux-armnuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.linux-armnuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.linux-arm64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.linux-arm64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.linux-musl-x64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.linux-musl-x64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.linux-x64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.linux-x64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.osx-x64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.osx-x64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.win-armnuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.win-armnuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.win-arm64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.win-arm64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.win-x64nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.win-x64nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.win-x86nuget>= 3.1.0, < 3.1.113.1.11
Microsoft.AspNetCore.App.Runtime.win-x86nuget>= 5.0.0, < 5.0.25.0.2
Microsoft.AspNetCore.App.Runtime.linux-musl-armnuget= 5.0.15.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from HTTP/2 request parsing in Kestrel. The affected component (Microsoft.AspNetCore.Server.Kestrel.Core) and the nature of the fix (parsing corrections) strongly implicate core HTTP/2 processing logic. The Http2Connection.ProcessHeadersFrameAsync and Http2HeadersDecoder.Decode are central to handling HTTP/2 headers and HPACK compression, common attack vectors for parsing-related DoS. While exact patch details are unavailable, these functions align with the vulnerability's description and Kestrel's HTTP/2 architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l-o*-s*rvi** vuln*r**ility *xists in t** w*y K*str*l p*rs*s *TTP/* r*qu*sts. T** s**urity up**t* ***r*ss*s t** vuln*r**ility *y *ixin* t** w*y t** K*str*l p*rs*s *TTP/* r*qu*sts. Us*rs *r* **vis** to up*r***.

Reasoning

T** vuln*r**ility st*ms *rom *TTP/* r*qu*st p*rsin* in K*str*l. T** *****t** *ompon*nt (Mi*roso*t.*spN*t*or*.S*rv*r.K*str*l.*or*) *n* t** n*tur* o* t** *ix (p*rsin* *orr**tions) stron*ly impli**t* *or* *TTP/* pro**ssin* lo*i*. T** *ttp**onn**tion.Pro