Introduction
In this blog, we are going to discuss vulnerable versions of .Net Core.
Microsoft regularly releases information about security breaches in ASP.Net Core. It informs developers which version they need to update to in order to remove this vulnerability.
Microsoft is aware of DOS Attacks in the OData library.
In the below table, I have mentioned vulnerable packages in ASP .Net core.
| Package Name |
vulnerable version |
secure version |
| Microsoft.AspNetCore.DataProtection.AzureStorage |
2.1.1
2.2.0
|
2.1.2
2.2.1
|
| Microsoft.Data.OData |
< 5.8.4 |
5.8.4 |
| Microsoft.AspNetCore.All |
2.1.0 - 2.1.12 2.2.0 - 2.2.6 |
2.1.13
2.2.7
|
We have two types of dependencies in .net core,
- Direct dependencies
- Transitive dependencies
Direct dependencies are dependencies where you specifically add a package to your project, transitive dependencies occur when you add a package to your project that in turn relies on another package.
Mitigation policy
Open your application through visual studio and go to package manager console and run the below command.
By running the above command you will come to know which package we need to update as per Microsoft security guidelines.
Direct dependencies
By editing your Cs.proj file we can fix the issue or we can update Nuget Package manager.
Transitive dependencies
Transitive dependencies occur when any vulnerable package is referring to or relies on another package. By examining the project.asset.json file you can fix the issue.
Summary
In this blog, we have discussed vulnerable versions of .Net Core. As per Microsoft's security advice it is better to update packages which are in your application.