From c51171398895a5562575fa98ff3e002df881c1c9 Mon Sep 17 00:00:00 2001 From: Rahul Bhandari Date: Mon, 7 Sep 2020 15:04:57 -0700 Subject: [PATCH] Update 2.1.21.md --- release-notes/2.1/2.1.21/2.1.21.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/release-notes/2.1/2.1.21/2.1.21.md b/release-notes/2.1/2.1.21/2.1.21.md index 3195a358..2580fa29 100644 --- a/release-notes/2.1/2.1.21/2.1.21.md +++ b/release-notes/2.1/2.1.21/2.1.21.md @@ -58,15 +58,15 @@ The images are expected to be available later today. .NET Core 2.1.21 release carries both security and non-security fixes. -### [CVE-2020-1147 | NET Core Remote Code Execution Vulnerability](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1147) +### [CVE-2020-1597 | NET Core Remote Code Execution Vulnerability](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1597) -Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. +Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. -Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. +A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. -A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML. +A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. -The security update addresses the vulnerability by restricting the types that are allowed to be present in the XML payload. +The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests. ## Packages updated in this release: