PT-2022-4631 · Microsoft+5 · Net Core 3.1+7

Lars Eidnes

·

Published

2022-03-08

·

Updated

2024-03-06

·

CVE-2022-24464

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions .NET 6.0 versions 6.0.0 through 6.0.2 .NET 5.0 versions 5.0.0 through 5.0.14 .NET Core 3.1 versions 3.1.0 through 3.1.22
Description The issue is related to incorrect clearing or release of resources, which can be exploited by a remote attacker to cause a denial of service. The vulnerability exists in .NET 6.0, .NET 5.0, and .NET Core 3.1 when parsing certain types of HTTP form requests.
Recommendations To fix the issue, update .NET 6.0 to version 6.0.3 or later. To fix the issue, update .NET 5.0 to version 5.0.15 or later. To fix the issue, update .NET Core 3.1 to version 3.1.23 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP form request parsing functionality until a patch is available.

Fix

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2022:0826
ALSA-2022:0827
ALSA-2022:0830
ALT-PU-2022-1619
ALT-PU-2022-1620
ALT-PU-2022-1621
ALT-PU-2022-1622
ALT-PU-2022-1627
ALT-PU-2022-1628
ALT-PU-2022-2415
ALT-PU-2022-2416
ALT-PU-2023-1307
ALT-PU-2023-1308
ALT-PU-2023-1464
ALT-PU-2023-1465
BDU:2022-05515
BIT-DOTNET-2022-24464
BIT-DOTNET-SDK-2022-24464
CESA-2022_0826
CESA-2022_0827
CESA-2022_0830
CVE-2022-24464
GHSA-CW98-9J8W-WXV9
RHSA-2022:0826
RHSA-2022:0827
RHSA-2022:0828
RHSA-2022:0829
RHSA-2022:0830
RHSA-2022:0832
RHSA-2022_0826
RHSA-2022_0827
RHSA-2022_0830
RLSA-2022:0826
RLSA-2022:0827
RLSA-2022:0830

Affected Products

Alt Linux
Almalinux
Centos
Net 5.0
Net 6.0
Net Core 3.1
Red Hat
Rocky Linux