Lucene search

K
githubGitHub Advisory DatabaseGHSA-RH58-R7JH-XHX3
HistoryOct 25, 2022 - 5:33 p.m.

.NET Core Elevation of Privilege Vulnerability

2022-10-2517:33:12
GitHub Advisory Database
github.com
29
microsoft
security advisory
denial of service
vulnerability
.net 5.0
.net core 3.1
.net core 2.1
websocket
endpoint
patches
update
sdk
runtime
github
msrc
cve-2021-26423

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.1%

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame.

Patches

Other Details

Affected configurations

Vulners
Node
microsoft.netcore.app.runtime.linuxarmRange<5.0.9
OR
microsoft.netcore.app.runtime.linuxarmRange<3.1.18
OR
microsoft.netcore.app.runtime.linuxarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.linuxarm64Range<3.1.18
OR
microsoft.netcore.app.runtime.rhel.6x64Range<3.1.18
OR
microsoft.netcore.app.runtime.linuxarmRange<5.0.9
OR
microsoft.netcore.app.runtime.linuxarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.linuxarm64Range<3.1.18
OR
microsoft.netcore.app.runtime.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.linuxx64Range<3.1.18
OR
microsoft.netcore.app.runtime.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.linuxx64Range<3.1.18
OR
microsoft.netcore.app.runtime.mono.linuxarmRange<5.0.9
OR
microsoft.netcore.app.runtime.mono.linuxarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.aot.linuxarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.aot.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.aot.osxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.linuxarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.linuxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.llvm.osxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.mono.osxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.osxx64Range<5.0.9
OR
microsoft.netcore.app.runtime.osxx64Range<3.1.18
OR
microsoft.netcore.app.runtime.winarmRange<5.0.9
OR
microsoft.netcore.app.runtime.winarmRange<3.1.18
OR
microsoft.netcore.app.runtime.winarm64Range<5.0.9
OR
microsoft.netcore.app.runtime.winarm64Range<3.1.18
OR
microsoft.netcore.app.runtime.winx64Range<5.0.9
OR
microsoft.netcore.app.runtime.winx64Range<3.1.18
OR
microsoft.netcore.app.runtime.winx86Range<5.0.9
OR
microsoft.netcore.app.runtime.winx86Range<3.1.18

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.1%