Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12aDU1LTc4Nmctd2p3as4AA5C3

.NET Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.

Affected software

If your application uses the following package versions, ensure you update to the latest version of .NET.

.NET Core 3.1

Package name Affected version Patched version
System.Security.Cryptography.Xml <=4.7.0 4.7.1
Microsoft.AspNetCore.App.Runtime.win-x64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-x64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.win-x86 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.osx-x64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-arm64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-arm >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.win-arm64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.win-arm >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 >=3.1.0, 3.1.27 3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-arm >=3.1.0, 3.1.27 3.1.28

.NET 6

Package name Affected version Patched version
System.Security.Cryptography.Xml >=5.0.0, 6.0.0 6.0.1
Microsoft.AspNetCore.App.Runtime.win-x64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-x64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.win-x86 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.osx-x64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-x64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-arm64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-arm >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.win-arm64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.win-arm >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.osx-arm64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 >=6.0.0, 6.0.7 6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-arm >=6.0.0, 6.0.7 6.0.8

Patches

Other

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/232
An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43166
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716

Permalink: https://github.com/advisories/GHSA-vh55-786g-wjwj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDU1LTc4Nmctd2p3as4AA5C3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 27 days ago
Updated: 27 days ago


Identifiers: GHSA-vh55-786g-wjwj
References:

Affected Packages

nuget:Microsoft.AspNetCore.App.Runtime.linux-musl-arm
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.osx-arm64
Versions: >= 6.0.0, <= 6.0.7
Fixed in: 6.0.8
nuget:Microsoft.AspNetCore.App.Runtime.win-arm
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.win-arm64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.linux-arm
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.linux-arm64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.osx-x64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.win-x86
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.linux-x64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:Microsoft.AspNetCore.App.Runtime.win-x64
Versions: >= 6.0.0, <= 6.0.7, >= 3.1.0, <= 3.1.27
Fixed in: 6.0.8, 3.1.28
nuget:System.Security.Cryptography.Xml
Versions: >= 5.0.0, <= 6.0.0, <= 4.7.0
Fixed in: 6.0.1, 4.7.1