VIR Vulnerability Intelligence Relay

CVE-2024-21319

high
Published 2024-01-10 Β· Modified 2024-01-10
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
8.0

Description

RHSA-2024:0158: .NET 6.0 security update (Important)

Predictions

Exploit likelihood
30%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata β€” Red Hat Inc. Β· View original β†— Β· Open-Errata-API

Description dotnet: .NET Denial of Service Vulnerability Red Hat statement This DoS vulnerability in .NET Core project templates utilizing JWT-based authentication tokens is considered a moderate issue due to its restricted impact. While unauthenticated clients can exploit the server's memory, potentially causing an out-of-memory condition and service disruption, the vulnerability does not lead…

Description

dotnet: .NET Denial of Service Vulnerability

Red Hat statement

This DoS vulnerability in .NET Core project templates utilizing JWT-based authentication tokens is considered a moderate issue due to its restricted impact. While unauthenticated clients can exploit the server's memory, potentially causing an out-of-memory condition and service disruption, the vulnerability does not lead to remote code execution or compromise sensitive data. Its exploitability is contingent on specific project configurations, limiting the scope of affected systems.

CVSS v3: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

Errata / fixed releases

ProductPackageAdvisoryReleased
.NET Core on Red Hat Enterprise Linuxrh-dotnet60-dotnet-0:6.0.126-1.el7_9RHSA-2024:02552024-01-15T00:00:00Z
Red Hat Enterprise Linux 8dotnet8.0-0:8.0.101-1.el8_9RHSA-2024:01502024-01-10T00:00:00Z
Red Hat Enterprise Linux 8dotnet7.0-0:7.0.115-1.el8_9RHSA-2024:01572024-01-10T00:00:00Z
Red Hat Enterprise Linux 8dotnet6.0-0:6.0.126-1.el8_9RHSA-2024:01582024-01-10T00:00:00Z
Red Hat Enterprise Linux 9dotnet7.0-0:7.0.115-1.el9_3RHSA-2024:01512024-01-10T00:00:00Z
Red Hat Enterprise Linux 9dotnet8.0-0:8.0.101-1.el9_3RHSA-2024:01522024-01-10T00:00:00Z
Red Hat Enterprise Linux 9dotnet6.0-0:6.0.126-1.el9_3RHSA-2024:01562024-01-10T00:00:00Z

Apply commands

bash fix
Apply RHSA-2024:0255 for .NET Core on Red Hat Enterprise Linux
yum update -y rh-dotnet60-dotnet
# or:
dnf upgrade -y rh-dotnet60-dotnet

OS impact
almalinux AlmaLinux Fixed 1 release
VersionStatusFixed in
9 Fixed dotnet-sdk-8.0-8.0.101-1.el9_3.aarch64.rpm
redhat Red Hat Fixed 2 releases
VersionStatusFixed in
9 Fixed β€”
8 Fixed β€”
rockylinux Rocky Linux Fixed 1 release
VersionStatusFixed in
8 Fixed β€”

Package impact
EcosystemPackageVulnerableFixed
nuget NuGetSystem.IdentityModel.Tokens.Jwt<5.7.05.7.0
nuget NuGetSystem.IdentityModel.Tokens.Jwt>=6.5.0,<6.34.06.34.0
nuget NuGetSystem.IdentityModel.Tokens.Jwt>=7.0.0-preview,<7.1.27.1.2
nuget NuGetMicrosoft.IdentityModel.JsonWebTokens<5.7.05.7.0
nuget NuGetMicrosoft.IdentityModel.JsonWebTokens>=6.5.0,<6.34.06.34.0
nuget NuGetMicrosoft.IdentityModel.JsonWebTokens>=7.0.0-preview,<7.1.27.1.2

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.