Lucene search

K
githubGitHub Advisory DatabaseGHSA-485P-MRJ5-8W2V
HistoryOct 21, 2022 - 8:50 p.m.

.NET Denial of Service Vulnerability

2022-10-2120:50:24
CWE-400
GitHub Advisory Database
github.com
27
microsoft
.net
denial of service
vulnerability
update
httpclient
patches
security advisory
memory allocations
.net core 6.0.4
.net 5.0.16
.net core 3.1.24
sdk
visual studio
runtime
microsoft update
github
issue
msrc
cve-2022-23267

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.0%

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.

Affected software

  • Any .NET 6.0 application running on .NET 6.0.4 or earlier.
  • Any .NET 5.0 application running .NET 5.0.16 or earlier.
  • Any .NET Core 3.1 applicaiton running on .NET Core 3.1.24 or earlier.

Patches

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type “Check for updates” in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/221
An Issue for this can be found at https://github.com/dotnet/runtime/issues/69149
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23267

Affected configurations

Vulners
Node
microsoftaspnetcore.app.runtime.win-x86Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.win-x64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.win-arm64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.win-armRange6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.osx-x64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.osx-arm64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-x64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-musl-armRange6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-arm64Range6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-armRange6.0.06.0.5
OR
microsoftaspnetcore.app.runtime.linux-musl-armRange5.0.15.0.17
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.win-armRange5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.win-arm64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.linux-armRange5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.linux-arm64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.osx-x64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.win-x86Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.linux-x64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.win-x64Range5.0.05.0.17
OR
microsoftaspnetcore.app.runtime.win-x86Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.win-x64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.win-arm64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.win-armRange3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.osx-x64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.linux-x64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.linux-musl-x64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.linux-musl-arm64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.linux-arm64Range3.0.03.1.25
OR
microsoftaspnetcore.app.runtime.linux-armRange3.0.03.1.25
VendorProductVersionCPE
microsoftaspnetcore.app.runtime.win-x86*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-x86:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.win-x64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-x64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.win-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.win-arm*cpe:2.3:a:microsoft:aspnetcore.app.runtime.win-arm:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.osx-x64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.osx-x64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.osx-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.osx-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-x64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-x64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-x64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-x64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-arm64*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-arm64:*:*:*:*:*:*:*:*
microsoftaspnetcore.app.runtime.linux-musl-arm*cpe:2.3:a:microsoft:aspnetcore.app.runtime.linux-musl-arm:*:*:*:*:*:*:*:*
Rows per page:
1-10 of 121

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.0%