Vulnerability CVE-2019-0820 - CERT Civis.Net

Vulnerability Name:

CVE-2019-0820 (CCN-160363)

Assigned:

2018-11-26

Published:

2019-05-14

Updated:

2023-02-02

Summary:

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2019-0820

Source: secure@microsoft.com
Type: Third Party Advisory
secure@microsoft.com

Source: XF
Type: UNKNOWN
ms-dotnet-cve20190820-dos(160363)

Source: CCN
Type: Microsoft Security TechCenter - May 2019
.NET Framework and .NET Core Denial of Service Vulnerability

Source: secure@microsoft.com
Type: Patch, Vendor Advisory
secure@microsoft.com

Source: CCN
Type: IBM Security Bulletin 6598793 (Robotic Process Automation)
IBM Robotic Process Automation may be affected by multiple vulnerabilities in open source components (CVE-2019-0820, CVE-2020-15522, CVE-2021-43569)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-0820

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.0:sp2:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:4.6:*:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_core:1.0:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_core:1.1:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:4.7.2:*:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_core:2.1:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_core:2.2:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:4.8:*:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_core:3.0:-:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x86:*

OR cpe:/o:microsoft:windows_7::sp1:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*

OR cpe:/o:microsoft:windows_8.1:::~~~~x64~:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_10:::~~~~x64~:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server:1803:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:arm64:*

OR cpe:/o:microsoft:windows_server:1903:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.redhat.rhsa:def:20191259	P	RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important)	2019-05-22