CVE-2019-0545
Description
An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET Framework and .NET Core fail to properly enforce CORS policies, allowing an attacker to bypass cross-origin restrictions and read protected content from web applications.
Vulnerability
An information disclosure vulnerability exists in Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, and .NET Core 2.1 and 2.2 that allows bypassing Cross-origin Resource Sharing (CORS) configurations. The vulnerability resides in System.Net.Http within the Microsoft.NETCore.App package (specific versions: 2.1.0-2.1.6, 2.2.0) and in the .NET Framework's HTTP stack. Affected applications are those that rely on the framework's built-in CORS enforcement mechanisms. [1][2][3]
Exploitation
An attacker can exploit this vulnerability by sending a crafted cross-origin HTTP request to a targeted web application that depends on .NET's CORS configuration for access control. No special authentication or write access is required; the attacker only needs network connectivity to the target. The vulnerability enables the bypass of CORS policies that would normally block cross-origin reads, allowing the attacker to retrieve content restricted by those policies. [1][2]
Impact
Successful exploitation results in information disclosure. The attacker can retrieve content from a web application that is normally restricted by CORS, potentially exposing sensitive data such as API responses, user information, or application state. The attacker gains unauthorized read access to the target's cross-origin resources. [1][2][3]
Mitigation
Microsoft released security updates for .NET Framework (various versions) as part of January 2019 updates. For .NET Core, the fix is included in Microsoft.NETCore.App packages: upgrade to version 2.1.7 (for 2.1.x) or 2.2.1 (for 2.2.x). Red Hat Enterprise Linux users should apply RHSA-2019:0040. No workarounds are documented; the only mitigation is to apply the available patches. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NETCore.AppNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Microsoft.NETCore.AppNuGet | >= 2.2.0, < 2.2.1 | 2.2.1 |
Affected products
3- Microsoft/Microsoft .NET Frameworkv5Range: 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
- Microsoft/.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/errata/RHSA-2019:0040ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-2xjx-v99w-gqf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0545ghsaADVISORY
- www.securityfocus.com/bid/106405ghsavdb-entryx_refsource_BIDWEB
- github.com/dotnet/announcements/issues/94ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0545ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.