Lucene search

K
githubGitHub Advisory DatabaseGHSA-3RQ8-H3GJ-R5C6
HistoryAug 30, 2022 - 7:32 p.m.

.NET Denial of Service Vulnerability

2022-08-3019:32:29
CWE-400
GitHub Advisory Database
github.com
39
microsoft
security
advisory
vulnerability
.net 6.0
.net 5.0
.net core 3.1
denial of service
malicious
cookies
update
applications

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.0%

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.

Affected software

  • Any .NET 6.0 application running on .NET 6.0.4 or earlier.
  • Any .NET 5.0 application running .NET 5.0.16 or earlier.
  • Any .NET Core 3.1 application running on .NET Core 3.1.24 or earlier.

Affected packages

.NET Core 3.1

Package name Affected versions Patched versions
Microsoft.Owin.Security.Cookies <4.2.2 4.2.2
Microsoft.Owin.Security <4.2.2 4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-x64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.win-x86 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.osx-x64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 >=3.0.0,3.1.24 3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm >=3.0.0,3.1.24 3.1.25

.NET 5.0

Affected packages Affected versions Patched versions
Microsoft.Owin.Security.Cookies < 4.2.2 4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-x64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.win-x86 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.osx-x64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 >=5.0.0,5.0.16 5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm >=5.0.0,5.0.16 5.0.17

.NET 6.0

Affected packages Affected versions Patched versions
Microsoft.Owin.Security.Cookies <4.2.2 4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-x64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.win-x86 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.osx-x64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.osx-arm64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 >=6.0.0,6.0.4 6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm >=6.0.0,6.0.4 6.0.5

Patches

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type “Check for updates” in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Affected configurations

Vulners
Node
microsoftaspnetcore.app.runtime.osx-arm64Range6.0.06.0.5
OR
microsoftowinRange<4.2.2
OR
microsoftowin.security.cookiesRange<4.2.2
OR
microsoftaspnetcore.app.runtime.linux-musl-armRange6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-musl-armRange5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-musl-armRange3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.win-armRange6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.win-armRange5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.win-armRange3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.win-arm64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.win-arm64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.win-arm64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.linux-armRange6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-armRange5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-armRange3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.linux-arm64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-arm64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-arm64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.osx-x64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.osx-x64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.osx-x64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.win-x86Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.win-x86Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.win-x86Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.linux-x64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.linux-x64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.linux-x64Range3.0.03.1.24
OR
microsoftaspnetcore.app.runtime.win-x64Range6.0.06.0.4
OR
microsoftaspnetcore.app.runtime.win-x64Range5.0.05.0.16
OR
microsoftaspnetcore.app.runtime.win-x64Range3.0.03.1.24
VendorProductVersionCPE
microsoftaspnetcore.app.runtime.osx-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.osx-arm64:*:*:*:*:*:*:*:*
microsoftowin*cpe:2.3:a:microsoft:owin:*:*:*:*:*:*:*:*
microsoftowin.security.cookies*cpe:2.3:a:microsoft:owin.security.cookies:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-arm*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-arm:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.win-arm*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-arm:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.win-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-arm*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-arm:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-x64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-x64:*:*:*:*:*:*:*:*
Rows per page:
1-10 of 141

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.0%