Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcmp3LXFncjItd2ZjZ84AA0Db
YARP Denial of Service Vulnerability
Impact
A denial of service vulnerability exists in YARP.
Patches
If you're using YARP 1.x, you should update to NuGet package version 1.1.2.
If you're using YARP 2.0.0, you should update to NuGet package version 2.0.1.
You can do so by updating the PackageReference in your .csproj file
<ItemGroup>
- <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" />
- <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" />
+ <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" />
+ <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" />
</ItemGroup>
or by selecting 2.0.1 in the NuGet UI inside Visual Studio (Manage NuGet Packages / Updates)
References
Permalink: https://github.com/advisories/GHSA-jrjw-qgr2-wfcgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcmp3LXFncjItd2ZjZ84AA0Db
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-jrjw-qgr2-wfcg, CVE-2023-33141
References:
- https://github.com/microsoft/reverse-proxy/security/advisories/GHSA-jrjw-qgr2-wfcg
- https://nvd.nist.gov/vuln/detail/CVE-2023-33141
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141
- https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2
- https://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1
- https://github.com/advisories/GHSA-jrjw-qgr2-wfcg
Blast Radius: 1.0
Affected Packages
nuget:Yarp.ReverseProxy
Dependent packages: 63Dependent repositories: 0
Downloads: 18,661,355 total
Affected Version Ranges: = 2.0.0, <= 1.1.1
Fixed in: 2.0.1, 1.1.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0
All unaffected versions: 1.1.2, 2.0.1, 2.1.0, 2.2.0