PT-2021-4178 · Microsoft+3 · .Net Framework+5

Peter Stöckli

·

Published

2021-08-10

·

Updated

2024-03-06

·

CVE-2021-26423

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions .NET Core versions 2.1 through 3.1 .NET Core version 5.0 Visual Studio (affected versions not specified)
Description A denial of service issue exists due to insufficient input validation. This could allow a remote attacker to cause a denial of service. The issue is related to .NET (Core) server applications providing WebSocket endpoints, which could be tricked into endlessly looping while trying to read a single WebSocket frame.
Recommendations If you're using .NET 5.0, download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10). If you're using .NET Core 3.1, download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later). If you're using .NET Core 2.1, download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2022-1269
ALT-PU-2022-1270
ALT-PU-2022-1272
ALT-PU-2022-1273
ALT-PU-2022-1274
ALT-PU-2022-1275
ALT-PU-2022-1276
ALT-PU-2022-1352
ALT-PU-2022-1353
ALT-PU-2022-1354
ALT-PU-2022-1355
ALT-PU-2022-1357
ALT-PU-2022-1358
ALT-PU-2022-1360
ALT-PU-2022-1544
ALT-PU-2022-1545
ALT-PU-2022-1548
ALT-PU-2022-1549
ALT-PU-2022-1550
ALT-PU-2022-1551
BDU:2021-04773
BIT-DOTNET-2021-26423
BIT-DOTNET-SDK-2021-26423
CESA-2021_3142
CESA-2021_3148
CVE-2021-26423
GHSA-RH58-R7JH-XHX3
RHSA-2021:3142
RHSA-2021:3143
RHSA-2021:3147
RHSA-2021:3148
RHSA-2021_3142
RHSA-2021_3148

Affected Products

.Net Framework
Alt Linux
Centos
Net Core
Red Hat
Visual Studio