{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35391", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-06-14T23:09:47.640Z", "datePublished": "2023-08-08T18:52:30.105Z", "dateUpdated": "2024-09-11T18:57:48.798Z"}, "containers": {"cna": {"title": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "datePublic": "2023-08-08T07:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.2", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.2:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.2.0", "lessThan": "17.2.18", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.10", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.6", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 2.1", "cpes": ["cpe:2.3:a:microsoft:asp.net_core:2.1*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "2.0", "lessThan": "2.1.40", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 6.0", "cpes": ["cpe:2.3:a:microsoft:.net:6.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "6.0.0", "lessThan": "6.0.21", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 7.0", "cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.0.0", "lessThan": "7.0.10", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en-US", "type": "Impact"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-05-29T01:33:05.429Z"}, "references": [{"name": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.717Z"}, "title": "CVE Program Container", "references": [{"name": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T18:55:14.681715Z", "id": "CVE-2023-35391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T18:57:48.798Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391", "name": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.717Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T18:55:14.681715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T18:57:43.523Z"}}], "cna": {"title": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.2:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.2", "versions": [{"status": "affected", "version": "17.2.0", "lessThan": "17.2.18", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "versions": [{"status": "affected", "version": "17.4.0", "lessThan": "17.4.10", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "versions": [{"status": "affected", "version": "17.6.0", "lessThan": "17.6.6", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:asp.net_core:2.1*:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "ASP.NET Core 2.1", "versions": [{"status": "affected", "version": "2.0", "lessThan": "2.1.40", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:6.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 6.0", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.0.21", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 7.0", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.10", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2023-08-08T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391", "name": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "Impact", "description": "Information Disclosure"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-05-29T01:33:05.429Z"}}}, "cveMetadata": {"cveId": "CVE-2023-35391", "state": "PUBLISHED", "dateUpdated": "2024-09-11T18:57:48.798Z", "dateReserved": "2023-06-14T23:09:47.640Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2023-08-08T18:52:30.105Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA257401-7276-4427-8692-7B5A6495F182", "versionEndExcluding": "6.0.21", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2239C44-5436-4968-959B-C686E0FAECD1", "versionEndExcluding": "7.0.10", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "65CCEE15-3742-40B0-9241-1779929F529F", "versionEndExcluding": "2.1.40", "versionStartIncluding": "2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "DADAE1CA-1303-4B24-A9EC-E79A83088E49", "versionEndExcluding": "17.2.18", "versionStartIncluding": "17.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2A151F0-EE6A-4D89-BF83-74CCAA76E373", "versionEndExcluding": "17.4.10", "versionStartIncluding": "17.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB465155-CEDD-48E5-8B58-AF49B8FAF504", "versionEndExcluding": "17.6.6", "versionStartIncluding": "17.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability"}], "id": "CVE-2023-35391", "lastModified": "2023-11-06T23:15:10.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2023-08-08T19:15:09.940", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "dotnet: Redis backplane in SignalR listen disclosure information to unexpected group or user", "id": "2228618", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228618"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "A vulnerability was found in dotnet. This issue exists in .NET 6.0 and .NET 7.0 when using the redis backplane in SignalIR, which may result in information disclosure."], "name": "CVE-2023-35391", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:6.0", "fix_state": "Not affected", "package_name": "rh-dotnet60", "product_name": ".NET 6.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-35391\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35391\nhttps://devblogs.microsoft.com/dotnet/august-2023-updates/"], "statement": "This CVE only affects .NET configurations on Windows OS. Red Hat software are not impacted.", "threat_severity": "Moderate"}