Veracode Vulnerability DatabaseVERACODE:38843Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
31.5%
microsoft.netcore.app.runtime.* packages are vulnerable to Denial of Service (DoS) attacks. The vulnerability is due to the DataContractSerializer handling recursive collections, which allows a malicious user to cause a stack overflow which may result in a denial of service, resulting in an application crash.
References
github.com/advisories/GHSA-8f7f-vqg5-jrv9
github.com/dotnet/runtime/commit/26f99bc7714a6d601ae5db2513622ebd003bbd30
github.com/dotnet/runtime/issues/80449
lists.fedoraproject.org/archives/list/[email protected]/message/GV5QDWYJ4C26JB7RTI55Z4O76WSH4FMV/
lists.fedoraproject.org/archives/list/[email protected]/message/ZI27LYW5C4Z4644WYIQWOXBZL7WIP2X6/
msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21538
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21538
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21538
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
31.5%