CVE-2020-1161

dotnet: Denial of service due to infinite loop

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

Existe una vulnerabilidad denegación de servicio cuando ASP.NET Core maneja inapropiadamente las peticiones web, también se conoce como "ASP.NET Core Denial of Service Vulnerability".

An infinite loop was found in the HTTP Routing component of Microsoft.AspNetCore.App, which could be exploited by a remote, unauthenticated attacker. This flaw allows an attacker without special privileges to send crafted requests to a machine running an ASP.NET Core application, triggering the infinite loop and causing a denial of service in that application, for example, a web server.

.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.1.104 and .NET Core Runtime 3.1.4. Issues addressed include a denial of service vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-04 CVE Reserved
2020-05-21 CVE Published
2024-08-04 CVE Updated
2025-04-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1161	2021-07-21

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-1161	2020-05-21
https://bugzilla.redhat.com/show_bug.cgi?id=1827645	2020-05-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Asp.net Core Search vendor "Microsoft" for product "Asp.net Core"				3.1 Search vendor "Microsoft" for product "Asp.net Core" and version "3.1"		-		Affected
Microsoft Search vendor "Microsoft"		Visual Studio 2017 Search vendor "Microsoft" for product "Visual Studio 2017"				>= 15.1 <= 15.9 Search vendor "Microsoft" for product "Visual Studio 2017" and version " >= 15.1 <= 15.9"		-		Affected
Microsoft Search vendor "Microsoft"		Visual Studio 2019 Search vendor "Microsoft" for product "Visual Studio 2019"				>= 16.0 <= 16.5 Search vendor "Microsoft" for product "Visual Studio 2019" and version " >= 16.0 <= 16.5"		-		Affected