ASP.NET Core Remote Code Execution Vulnerability
Released: Jan 14, 2020
Last updated: May 28, 2020
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2020-0603
Executive Summary
A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle client deleted connections.
An attacker who successfully exploited the vulnerability could run arbitrary code in memory on the server. Exploitation of the vulnerability requires that a user perform certain actions during the connection process.
The security update addresses the vulnerability by correcting how ASP.NET Core handles deleted connections.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
Acknowledgements
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Disclaimer
Revisions
Updated description to clarify information about the vulnerability. This is an informational change only.
Information published.