CVE-2022-21986

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions .NET 6.0 versions 6.0.0 through 6.0.1 .NET 5.0 versions 5.0.0 through 5.0.13

Description A Denial of Service issue exists in .NET 6.0 and .NET 5.0 when the Kestrel web server processes certain HTTP/2 and HTTP/3 requests. This is due to insufficient input validation. Exploitation of this issue could allow a remote attacker to cause a denial of service.

Recommendations For .NET 6.0 versions 6.0.0 through 6.0.1, update to .NET 6.0.2 or install SDK 6.0.102. For .NET 5.0 versions 5.0.0 through 5.0.13, update to Runtime 5.0.14 or install SDK 5.0.114 or SDK 5.0.405. As a temporary workaround, consider restricting access to the Kestrel web server until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2022:0496

ALT-PU-2022-1269

ALT-PU-2022-1270

ALT-PU-2022-1357

ALT-PU-2022-1358

ALT-PU-2022-1544

ALT-PU-2022-1545

BDU:2022-01176

BIT-DOTNET-2022-21986

BIT-DOTNET-SDK-2022-21986

CESA-2022_0495

CESA-2022_0496

CVE-2022-21986

GHSA-X459-P2RX-F8FF

RHSA-2022:0495

RHSA-2022:0496

RHSA-2022:0499

RHSA-2022:0500

RHSA-2022_0495

RHSA-2022_0496

RLSA-2022:0495

RLSA-2022:0496

Affected Products

Alt Linux

Almalinux

Centos

Kestrel

Net 5.0

Net 6.0

Red Hat

Rocky Linux

CVE-2022-21986

Weakness Enumeration

Related Identifiers

Affected Products

References · 33