Blog Posts For 2019

Version 2.10

The STIG Spider team hopes you have a happy new year! The privacy policy was updated to clarify your data is not forwarded or sold to any other parties.

Version 2.9

STIG Spider was synchronized with DISA's 2019 Q4 SRG-STIG Library Compilation. Superseded STIG versions included with the Q4 SRG-STIG Library have been excluded from STIG Spider.

Version 2.8

Added the ability to have an alternate email address associated with your account for login and password reset purposes.

The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:

  • CVE-2018-8269 Microsoft is aware of a denial of service attack in the Microsoft OData library used in ASP.NET could cause a denial of service against an OData web application. An unauthenticated, remote attacker could exploit this vulnerability by issuing specially crafted requests to the OData application. The update addresses the vulnerability by updating the version of OData ASP.NET Core uses.
  • CVE-2019-1301 Microsoft is aware of a denial of service vulnerability when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication. The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

Version 2.7

Fixed a bug where regular expression searches did not work when not matching whole words.

Version 2.6

STIG Spider was synchronized with DISA's 2019 Q3 SRG-STIG Library Compilation.

The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:

  • CVE-2019-1075 A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect. An attacker who successfully exploited the vulnerability could redirect a targeted user to a malicious website. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link. The update addresses the vulnerability by correcting how ASP.NET Core parses URLs.

Version 2.5

STIG Spider is now a year old! STIG Spider was synchronized with DISA's 2019 Q2 SRG-STIG Library Compilation.

The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:

  • CVE-2019-0757 The security update addresses the vulnerability by correcting how NuGet restore creates file permissions for all files extracted to the client machine.
  • CVE-2019-0815 A denial of service vulnerability exists in ASP.NET Core 2.2 where, if an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
  • CVE-2019-0820 A denial of service vulnerability exists when .NET Core improperly processes RegEx strings. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application.
  • CVE-2019-0980 A denial of service vulnerability exists when .NET Core and ASP.NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core and ASP.NET Core application. The vulnerability can be exploited remotely, without authentication.
  • CVE-2019-0981 A denial of service vulnerability exists when .NET Core and ASP.NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core and ASP.NET Core application. The vulnerability can be exploited remotely, without authentication.
  • CVE-2019-0982 A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

Version 2.4

STIG Spider was synchronized with DISA's 2019 Q1 SRG-STIG Library Compilation.

The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:

  • CVE-2018-8416 A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability."
  • CVE-2019-0545 An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability."
  • CVE-2019-0548 A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability."
  • CVE-2019-0564 A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This CVE ID is unique from CVE-2019-0548.
  • CVE-2019-0657 A domain spoofing vulnerability exists in .NET Framework and .NET Core which causes the meaning of a URI to change when International Domain Name encoding is applied, aka ".NET Core Domain Spoofing Vulnerability."