GHSA-vh55-786g-wjwj

Suggest an improvement
Source
https://github.com/advisories/GHSA-vh55-786g-wjwj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vh55-786g-wjwj/GHSA-vh55-786g-wjwj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vh55-786g-wjwj
Aliases
Published
2024-02-03T00:47:54Z
Modified
2024-12-04T05:27:18.802016Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
.NET Information Disclosure Vulnerability
Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.

<a name="affected-software"></a>Affected software

  • Any .NET 6.0 application running on .NET 6.0.7 or earlier.
  • Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

<a name=".NET Core 3.1"></a>.NET Core 3.1

Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.Xml| <=4.7.0| 4.7.1 Microsoft.AspNetCore.App.Runtime.win-x64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-x64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.win-x86| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.osx-x64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-musl-x64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-arm64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-arm| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.win-arm64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.win-arm| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-musl-arm64| >=3.1.0, 3.1.27| 3.1.28 Microsoft.AspNetCore.App.Runtime.linux-musl-arm| >=3.1.0, 3.1.27| 3.1.28

<a name=".NET 6"></a>.NET 6

Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.Xml| >=5.0.0, 6.0.0| 6.0.1 Microsoft.AspNetCore.App.Runtime.win-x64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-x64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.win-x86| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.osx-x64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-musl-x64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-arm64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-arm| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.win-arm64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.win-arm| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.osx-arm64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-musl-arm64| >=6.0.0, 6.0.7| 6.0.8 Microsoft.AspNetCore.App.Runtime.linux-musl-arm| >=6.0.0, 6.0.7| 6.0.8

Patches

  • If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
  • If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

Other

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/232 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43166 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-03T00:47:54Z"
}
References

Affected packages

NuGet / System.Security.Cryptography.Xml

Package

Name
System.Security.Cryptography.Xml
View open source insights on deps.dev
Purl
pkg:nuget/System.Security.Cryptography.Xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.1

Affected versions

4.*

4.4.0-preview1-25305-02
4.4.0-preview2-25405-01
4.4.0
4.4.1
4.4.2
4.5.0-preview1-25914-04
4.5.0-preview1-26216-02
4.5.0-preview2-26406-04
4.5.0-rc1
4.5.0
4.6.0
4.7.0

Database specific 

{
    "last_known_affected_version_range": "<= 4.7.0"
}

NuGet / System.Security.Cryptography.Xml

Package

Name
System.Security.Cryptography.Xml
View open source insights on deps.dev
Purl
pkg:nuget/System.Security.Cryptography.Xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
6.0.1

Affected versions

5.*

5.0.0

6.*

6.0.0

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.0"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x86
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x86
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.osx-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.28

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.27"
}

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.8

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.7"
}