7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
67.9%
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.
Package name | Affected version | Patched version |
---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-arm | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-arm | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 3.1.5, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-x86 | >= 3.1.0, < 3.1.29 | 3.1.29 |
Package name | Affected version | Patched version |
---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-arm | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 5.0.1, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 6.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-arm | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-x86 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234
An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013
github.com/advisories/GHSA-r8m2-4x37-6592
github.com/dotnet/aspnetcore/security/advisories/GHSA-r8m2-4x37-6592
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M/
lists.fedoraproject.org/archives/list/[email protected]/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY/
lists.fedoraproject.org/archives/list/[email protected]/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE/
lists.fedoraproject.org/archives/list/[email protected]/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y/
lists.fedoraproject.org/archives/list/[email protected]/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG/
lists.fedoraproject.org/archives/list/[email protected]/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M/
nvd.nist.gov/vuln/detail/CVE-2022-38013
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
67.9%