CVE-2019-0980

CWE-19 CWE-835 CWE-400 — Uncontrolled Resource Consumption CWE-133311 documents7 sources

Severity

7.5HIGH

EPSS

3.2%

top 12.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft .net Core Microsoft Microsoft .net Framework 2.0 Microsoft Microsoft .net Framework 3.0 +42 more

Timeline

PublishedMay 16

Latest updateMay 24

Description

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0981.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages47 packages

▶CVEListV5microsoft/microsoft_.net_framework_4.8_on_windows_server_2019_(server_core_installation)unspecified

▶CVEListV5microsoft/microsoft_.net_framework_4.8_on_windows_server_2008_r2_for_x64-based_systems_service_pack_1_(server_core_installation)unspecified

▶CVEListV5microsoft/microsoft_.net_framework_4.8_on_windows_server_2019unspecified

▶CVEListV5microsoft/microsoft_.net_framework_4.8_on_windows_7_for_32-bit_systems_service_pack_1unspecified

▶CVEListV5microsoft/microsoft_.net_framework_4.8_on_windows_7_for_x64-based_systems_service_pack_1unspecified

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

Denial of service in ASP.NET Core↗2022-05-24

▶

OSV

Denial of service in ASP.NET Core↗2022-05-24

▶

GHSA

Denial of service in ASP.NET Core↗2022-05-24

▶

GHSA

Regular Expression Denial of Service in System.Text.RegularExpressions↗2021-08-04

▶

CVEList

CVE-2019-0980: A denial of service vulnerability exists when↗2019-05-16

▶

📋Vendor Advisories

Red Hat

dotnet: infinite loop in Uri.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-14

▶

Microsoft

.Net Framework and .Net Core Denial of Service Vulnerability↗2019-05-14

▶

Red Hat

dotnet: timeouts for regular expressions are not enforced↗2019-05-14

▶

Red Hat

dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-14

▶

💬Community

Bugzilla

CVE-2019-0980 dotnet: infinite loop in Uri.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-02

▶

External resources

NVD MITRE

Affected products45

Microsoft .net Corev1v1.1v2.1+2 more

Microsoft .net Frameworkv2.0v3.0v3.5+9 more

Microsoft Microsoft .net Framework 2.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft Microsoft .net Framework 3.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft Microsoft .net Framework 3.5vWindows 10 Version 1607 for 32-bit SystemsvWindows 10 Version 1607 for x64-based SystemsvWindows 10 Version 1703 for 32-bit Systems+22 more

Microsoft Microsoft .net Framework 3.5 ON Windows 10 Version 1903 FOR 32-bit Systemsvunspecified

Microsoft Microsoft .net Framework 3.5 ON Windows 10 Version 1903 FOR X64-based Systemsvunspecified

Microsoft Microsoft .net Framework 3.5.1vWindows 7 for 32-bit Systems Service Pack 1vWindows 7 for x64-based Systems Service Pack 1vWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1+2 more

Microsoft Microsoft .net Framework 4.5.2vWindows 7 for 32-bit Systems Service Pack 1vWindows 7 for x64-based Systems Service Pack 1vWindows 8.1 for 32-bit systems+10 more

Microsoft Microsoft .net Framework 4.6vWindows Server 2008 for 32-bit Systems Service Pack 2vWindows Server 2008 for x64-based Systems Service Pack 2

Disclosure

PublishedMay 16, 2019

Latest updateMay 24, 2022