Safety
Vulnerability CVE-2020-1147: .NET Core Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information on the .NET Core vulnerability. This guide also provides guidance on what developers can do to update their applications to address this vulnerability.
Microsoft is aware of a remote code execution vulnerability in .NET software where the software cannot validate the original markup of an XML file. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user.
An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted requests to an ASP.NET Core application or another application that parses certain types of XML.
The security update addresses the vulnerability by limiting the types that can be present in an XML payload.
Get the update
- .NET Core 3.1.6 and .NET Core SDK ( Download | Release Notes )
- .NET Core 2.1.20 and .NET Core SDK ( Download | Release Notes )
See the .NET Core release notes for release details, including fixed and raised issues.
The latest .NET Core updates are available on the .NET Core download page .
Docker images
.NET Docker images have also been updated. The following repositories have been updated:
- dotnet / core / sdk : .NET Core SDK
- dotnet / core / aspnet : ASP.NET Core Runtime
- dotnet / core / runtime : .NET Core Runtime
- dotnet / core / runtime-deps : .NET Core Runtime Dependencies
- dotnet / core / samples : .NET Core Samples
Note: To get this update, you must get the updated .NET Core container images either using docker pull or docker build --pull.
Visual Studio
This update will be included in a future update to Visual Studio.
Each version of Visual Studio is only supported with this version of the .NET Core SDK. The Visual Studio version information is included in the .NET Core SDK download pages and release notes. If you are not using Visual Studio, we recommend using the latest SDK.