USN-6217-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-6217-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6217-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-6217-1
Upstream
Related
Published
2023-07-11T19:31:45.628698Z
Modified
2025-10-13T04:36:29Z
Summary
dotnet6, dotnet7 vulnerability
Details

McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did not properly update account lockout maximum failed attempts. An attacker could possibly use this issue to bypass the security feature and attempt to guess more passwords for an account.

References

Affected packages

Ubuntu:22.04:LTS / dotnet6

Package

Name
dotnet6
Purl
pkg:deb/ubuntu/dotnet6@6.0.120-0ubuntu1~22.04.1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.120-0ubuntu1~22.04.1

Affected versions

6.*

6.0.108-0ubuntu1~22.04.1
6.0.109-0ubuntu1~22.04.1
6.0.110-0ubuntu1~22.04.1
6.0.111-0ubuntu1~22.04.1
6.0.113-0ubuntu1~22.04.1
6.0.116-0ubuntu1~22.04.1
6.0.118-0ubuntu1~22.04.1
6.0.119-0ubuntu1~22.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "aspnetcore-runtime-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "aspnetcore-targeting-pack-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-apphost-pack-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-host",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-hostfxr-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-runtime-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-sdk-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-sdk-6.0-source-built-artifacts",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-targeting-pack-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-templates-6.0",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet6",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "netstandard-targeting-pack-2.1",
            "binary_version": "6.0.120-0ubuntu1~22.04.1"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "cves": [
        {
            "id": "CVE-2023-33170",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
                },
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ],
    "ecosystem": "Ubuntu:22.04:LTS"
}

Ubuntu:22.04:LTS / dotnet7

Package

Name
dotnet7
Purl
pkg:deb/ubuntu/dotnet7@7.0.109-0ubuntu1~22.04.1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.0.109-0ubuntu1~22.04.1

Affected versions

7.*

7.0.105-0ubuntu1~22.04.1
7.0.107-0ubuntu1~22.04.1
7.0.108-0ubuntu1~22.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "aspnetcore-runtime-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "aspnetcore-targeting-pack-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-apphost-pack-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-host-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-hostfxr-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-runtime-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-sdk-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-sdk-7.0-source-built-artifacts",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-targeting-pack-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet-templates-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "dotnet7",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        },
        {
            "binary_name": "netstandard-targeting-pack-2.1-7.0",
            "binary_version": "7.0.109-0ubuntu1~22.04.1"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "cves": [
        {
            "id": "CVE-2023-33170",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
                },
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ],
    "ecosystem": "Ubuntu:22.04:LTS"
}