GHSA-r8m2-4x37-6592
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r8m2-4x37-6592
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r8m2-4x37-6592/GHSA-r8m2-4x37-6592.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r8m2-4x37-6592
- Aliases
- Published
- 2022-09-15T03:25:36Z
- Modified
- 2024-11-28T05:35:48.454769Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- .NET Denial of Service Vulnerability
- Details
-
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.
<a name="affected-software"></a>Affected software
- Any .NET 6.0 application running on .NET 6.0.8 or earlier.
- Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier.
If your application uses the following package versions, ensure you update to the latest version of .NET.
<a name="ASP.NET Core 3.1"></a>.NET Core 3.1
Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- Microsoft.AspNetCore.App.Runtime.linux-arm|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.linux-arm64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.linux-musl-arm64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.linux-musl-x64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.linux-x64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.osx-x64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.win-arm|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.win-arm64|>= 3.1.5, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.win-x64|>= 3.1.0, < 3.1.29|3.1.29 Microsoft.AspNetCore.App.Runtime.win-x86|>= 3.1.0, < 3.1.29|3.1.29
<a name=".NET 6"></a>.NET 6
Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- Microsoft.AspNetCore.App.Runtime.linux-arm|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.linux-arm64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.linux-musl-arm|>= 5.0.1, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.linux-musl-arm64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.linux-musl-x64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.linux-x64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.osx-arm64|>= 6.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.osx-x64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.win-arm|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.win-arm64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.win-x64|>= 5.0.0, < 6.0.9|6.0.9 Microsoft.AspNetCore.App.Runtime.win-x86|>= 5.0.0, < 6.0.9|6.0.9
Other
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013
- Database specific
{ "nvd_published_at": "2022-09-13T19:15:00Z", "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:25:36Z" }- References
-
- https://github.com/dotnet/aspnetcore/security/advisories/GHSA-r8m2-4x37-6592
- https://nvd.nist.gov/vuln/detail/CVE-2022-38013
- https://github.com/dotnet/aspnetcore
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013
Affected packages
NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-arm
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm
NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-musl-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64
NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.osx-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64
NuGet / Microsoft.AspNetCore.App.Runtime.win-arm
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-arm
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm
NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.win-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64
NuGet / Microsoft.AspNetCore.App.Runtime.win-x86
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-x86
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86
NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-arm
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm
NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm
NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-musl-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64
NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.linux-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64
NuGet / Microsoft.AspNetCore.App.Runtime.osx-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.osx-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.osx-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64
NuGet / Microsoft.AspNetCore.App.Runtime.win-arm
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-arm
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm
NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-arm64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64
NuGet / Microsoft.AspNetCore.App.Runtime.win-x64
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-x64
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64
NuGet / Microsoft.AspNetCore.App.Runtime.win-x86
Package
- Name
- Microsoft.AspNetCore.App.Runtime.win-x86
- View open source insights on deps.dev
- Purl
- pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86