STIG Spider was synchronized with DISA's 2020 Q4 SRG-STIG Library Compilation.
The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:
-
CVE-2020-1045
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
STIG Spider's security posture was enhanced through the following modifications:
- Web browsers must support TLS 1.2 or newer to view this website.
- Client-side libraries were updated to their latest versions to mitigate XSS vulnerabilities.
- Cookie, content, and script policy headers were explicitly defined with default or better protections.
STIG Spider was synchronized with DISA's 2020 Q3 SRG-STIG Library Compilation.
The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:
-
CVE-2020-1597
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
-
CVE-2020-1147
Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML. The security update addresses the vulnerability by restricting the types that are allowed to be present in the XML payload.
The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:
-
CVE-2020-1108
Microsoft is aware of a denial of service vulnerability which exists when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication. The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.
-
CVE-2020-1161
Microsoft is aware of a denial of service vulnerability which exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
STIG Spider is now two years old! STIG Spider was synchronized with DISA's 2020 Q2 SRG-STIG Library Compilation.
STIG Spider was synchronized with DISA's 2020 Q1 SRG-STIG Library Compilation.
The following upstream vulnerabilities were addressed by the vendor and STIG Spider received automatic security updates:
-
CVE-2020-0602
Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
-
CVE-2020-0603
Microsoft is aware of a remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.
-
CVE-2020-0605
Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.
-
CVE-2020-0606
Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.