How to confirm if CLR version (4.0.30319) is not vulnerable?

Mohit Kulkarni 0 Reputation points
2023-07-13T12:20:09.52+00:00

During an assessment of the .NET application using 'Detect It Easy' tool, it has been observed that the .NET CLR version 4.0.30319 is vulnerable, and it allows remote attackers to inject arbitrary web script or HTML via crafted value. We're using .NET Framework v4.7.2 and CLR v4.0.30319. We need to know if this version is vulnerable to any such attacks and if yes, then what is the latest recommended version to be used?

.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,101 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy De George 90 Reputation points Microsoft Employee
    2023-07-13T15:48:25.86+00:00

    The scanner is probably triggering off of the CLR version, which doesn't change in value even though the version of .NET Framework installed on the computer may be a supported version such as v4.7.2 or v4.8. Using the CLR version isn't good enough to detect a real vulnerability.

    While v4.7.2 is still supported, it really depends on your app. If the app you're scanning isn't an ASP.NET server app, which is most likely what the vulnerability is talking about, you wouldn't even need to worry about that issue. If it was an ASP.NET server app, you would want to make sure it's using a supported .NET Framework version (which it seems to be) and make sure that the version of .NET Framework installed on Windows is the latest version, which is .NET Framework 4.8.1

    https://learn.microsoft.com/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed

    0 comments No comments

  2. Andy De George 90 Reputation points Microsoft Employee
    2023-07-13T15:50:26.1633333+00:00

    Double post due to slow internet....5th

    0 comments No comments