ASP.NET Core Denial of Service Vulnerability

In this blog, we are going to discus about vulnerable versions of .Net Core.

Introduction
 
In this blog, we are going to discuss vulnerable versions of .Net Core.
 
Microsoft regularly releases information about security breaches in ASP.Net Core. It informs developers which version they need to update to in order to remove this vulnerability.
 
Microsoft is aware of DOS Attacks in the OData library. 
 
In the below table, I have mentioned vulnerable packages in ASP .Net core.
 
Package Name  vulnerable version secure version
Microsoft.AspNetCore.DataProtection.AzureStorage
 2.1.1
 2.2.0
 2.1.2
 2.2.1
Microsoft.Data.OData  < 5.8.4  5.8.4
Microsoft.AspNetCore.All  2.1.0 - 2.1.12 2.2.0 - 2.2.6
 2.1.13
 2.2.7
 
We have two types of dependencies in .net core,
  1. Direct dependencies
  2. Transitive dependencies
Direct dependencies are dependencies where you specifically add a package to your project, transitive dependencies occur when you add a package to your project that in turn relies on another package. 
 
Mitigation policy
 
Open your application through visual studio and go to package manager console and run the below command.
  1. command :-  dotnet --info  
 
 
 
By running the above command you will come to know which package we need to update as per Microsoft security guidelines.
 
Direct dependencies
 
By editing your Cs.proj file we can fix the issue or we can update Nuget Package manager.
 
Transitive dependencies
 
Transitive dependencies occur when any vulnerable package is referring to  or relies on another package. By examining the project.asset.json file you can fix the issue.
 
Summary
 
In this blog, we have discussed vulnerable versions of .Net Core. As per Microsoft's security advice it is better to update packages which are in your application.