GHSA-r8m2-4x37-6592

Source

https://github.com/advisories/GHSA-r8m2-4x37-6592

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r8m2-4x37-6592

Aliases

Published

2022-09-15T03:25:36Z

Modified

2025-01-02T22:24:35.683050Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

.NET Denial of Service Vulnerability

Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.

Affected software

Any .NET 6.0 application running on .NET 6.0.8 or earlier.
Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET.
.NET Core 3.1

.NET 6

Other

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013

Database specific

{
    "nvd_published_at": "2022-09-13T19:15:00Z",
    "github_reviewed_at": "2022-09-15T03:25:36Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": []
}

References

Affected packages

NuGet

Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name: Microsoft.AspNetCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name: Microsoft.AspNetCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.29

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-musl-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.osx-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.osx-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name: Microsoft.AspNetCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name: Microsoft.AspNetCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name: Microsoft.AspNetCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"

Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name: Microsoft.AspNetCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

6.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json"