This is a vulnerability in how ASP.NET uses cryptography in
some circumstances that enables side-channel leaks through error
responses. The current ASP.NET use of encryption padding provides
information in error responses that can be used by a malicious party. We
will be fixing this vulnerability in the security update.
Does this affect both ASP.NET Web Forms and ASP.NET MVC?
Yes – the publicly disclosed exploit can be used against all
types of ASP.NET Applications (including both Web Forms and MVC).