CVE-2019-0981 — Uncontrolled Resource Consumption in Microsoft NET Framework 2.0

CWE-400 — Uncontrolled Resource Consumption CWE-835 — Infinite Loop CWE-1333 — Regex Denial of Service11 documents7 sources

Severity

7.5HIGHNVD

EPSS

3.2%

top 12.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft NET Framework 2.0 Microsoft NET Framework 3.0 Microsoft NET Framework 3.5 +37 more

Timeline

PublishedMay 16

Latest updateMay 24

Description

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0980.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages41 packages

▶CVEListV5microsoft/microsoft_net_framework_4.8_on_windows_server_2019unspecified

▶CVEListV5microsoft/microsoft_net_framework_4.8_on_windows_7_for_32-bit_systems_service_pack_1unspecified

▶CVEListV5microsoft/microsoft_net_framework_4.8_on_windows_7_for_x64-based_systems_service_pack_1unspecified

▶CVEListV5microsoft/net_core4 versions+3

▶NVDmicrosoft/net_core4 versions+3

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

OSV

Denial of service in ASP.NET Core↗2022-05-24

▶

GHSA

Denial of service in ASP.NET Core↗2022-05-24

▶

GHSA

Denial of service in ASP.NET Core↗2022-05-24

▶

GHSA

Regular Expression Denial of Service in System.Text.RegularExpressions↗2021-08-04

▶

CVEList

CVE-2019-0981: A denial of service vulnerability exists when↗2019-05-16

▶

📋Vendor Advisories

Microsoft

.Net Framework and .Net Core Denial of Service Vulnerability↗2019-05-14

▶

Red Hat

dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-14

▶

Red Hat

dotnet: timeouts for regular expressions are not enforced↗2019-05-14

▶

Red Hat

dotnet: infinite loop in Uri.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-14

▶

💬Community

Bugzilla

CVE-2019-0981 dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service↗2019-05-02

▶

External resources

NVD MITRE

Affected products40

Microsoft NET Corev1v1.1v2.1+2 more

Microsoft NET Frameworkv2.0v3.0v3.5+9 more

Microsoft NET Framework 2.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft NET Framework 3.0vService Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2vService Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2vService Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft NET Framework 3.5vWindows 10 Version 1607 for 32-bit SystemsvWindows 10 Version 1607 for x64-based SystemsvWindows 10 Version 1703 for 32-bit Systems+22 more

Microsoft NET Framework 3.5 ON Windows 10 Version 1903 FOR 32-bit Systemsvunspecified

Microsoft NET Framework 3.5 ON Windows 10 Version 1903 FOR X64-based Systemsvunspecified

Microsoft NET Framework 3.5.1vWindows 7 for 32-bit Systems Service Pack 1vWindows 7 for x64-based Systems Service Pack 1vWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1+2 more

Microsoft NET Framework 4.5.2vWindows 7 for 32-bit Systems Service Pack 1vWindows 7 for x64-based Systems Service Pack 1vWindows 8.1 for 32-bit systems+10 more

Microsoft NET Framework 4.6vWindows Server 2008 for 32-bit Systems Service Pack 2vWindows Server 2008 for x64-based Systems Service Pack 2

Disclosure

PublishedMay 16, 2019

Latest updateMay 24, 2022