GHSA-rh58-r7jh-xhx3

Source

https://github.com/advisories/GHSA-rh58-r7jh-xhx3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rh58-r7jh-xhx3/GHSA-rh58-r7jh-xhx3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rh58-r7jh-xhx3

Aliases

Published

2022-10-25T17:33:12Z

Modified

2024-12-01T05:38:38.177837Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

.NET Core Elevation of Privilege Vulnerability

Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame.

Patches

If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/194
An Issue for this can be found at https://github.com/dotnet/runtime/issues/57175
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26423

Database specific

{
    "nvd_published_at": "2021-08-12T18:15:00Z",
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T17:33:12Z"
}

References

Affected packages

NuGet / Microsoft.NETCore.App.Runtime.win-x86

Package

Name: Microsoft.NETCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-x86

Package

Name: Microsoft.NETCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-x64

Package

Name: Microsoft.NETCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-x64

Package

Name: Microsoft.NETCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-arm64

Package

Name: Microsoft.NETCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-arm64

Package

Name: Microsoft.NETCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-arm

Package

Name: Microsoft.NETCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-arm

Package

Name: Microsoft.NETCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.rhel.6-x64

Package

Name: Microsoft.NETCore.App.Runtime.rhel.6-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.rhel.6-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8