GHSA-485p-mrj5-8w2v

Suggest an improvement
Source
https://github.com/advisories/GHSA-485p-mrj5-8w2v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-485p-mrj5-8w2v/GHSA-485p-mrj5-8w2v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-485p-mrj5-8w2v
Aliases
Published
2022-10-21T20:50:24Z
Modified
2024-02-22T05:31:40.378889Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
.NET Denial of Service Vulnerability
Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.

Affected software

  • Any .NET 6.0 application running on .NET 6.0.4 or earlier.
  • Any .NET 5.0 application running .NET 5.0.16 or earlier.
  • Any .NET Core 3.1 applicaiton running on .NET Core 3.1.24 or earlier.

Patches

  • If you're using .NET Core 6.0, you should download and install Runtime 6.0.5 or SDK 6.0.105 (for Visual Studio 2022 v17.0) or SDK 6.0.203 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

  • If you're using .NET 5.0, you should download and install Runtime 5.0.17 or SDK 5.0.214 (for Visual Studio 2019 v16.9) or SDK 5.0.408 (for Visual Studio 2011 v16.11) from https://dotnet.microsoft.com/download/dotnet-core/5.0.

  • If you're using .NET Core 3.1, you should download and install Runtime 3.1.25 or SDK 3.1.419 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1 ) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/221 An Issue for this can be found at https://github.com/dotnet/runtime/issues/69149 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23267

Database specific 
{
    "nvd_published_at": "2022-05-10T21:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-21T20:50:24Z"
}
References

Affected packages

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x86
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.25

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24

NuGet / Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x86
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.17

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.1
Fixed
5.0.17

Affected versions

5.*

5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.linux-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.osx-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.osx-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-arm64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.win-x64

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x64
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x64

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

NuGet / Microsoft.AspNetCore.App.Runtime.win-x86

Package

Name
Microsoft.AspNetCore.App.Runtime.win-x86
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.AspNetCore.App.Runtime.win-x86

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4