{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21319", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-12-08T22:45:19.367Z", "datePublished": "2024-01-09T18:59:01.270Z", "dateUpdated": "2024-10-08T15:40:06.745Z"}, "containers": {"cna": {"title": "Microsoft Identity Denial of service vulnerability", "datePublic": "2024-01-09T08:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": ".NET 6.0", "cpes": ["cpe:2.3:a:microsoft:.net:6.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "6.0.0", "lessThan": "6.0.26", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.2", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.2:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.2.0", "lessThan": "17.2.23", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.11", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.15", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.8.0", "lessThan": "17.8.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 7.0", "cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.0.0", "lessThan": "7.0.15", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 8.0", "cpes": ["cpe:2.3:a:microsoft:.net:8.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "8.0.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v6.0.0 forNuget", "cpes": ["cpe:2.3:a:microsoft:identitymodel_for_nuget:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "6.34.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v7.0.0 for Nuget", "cpes": ["cpe:2.3:a:microsoft:identitymodel_for_nuget:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "7.1.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v6.0.0", "cpes": ["cpe:2.3:a:microsoft:identitymodel:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "6.34.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v5.0.0", "cpes": ["cpe:2.3:a:microsoft:identitymodel:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "5.7.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v7.0.0", "cpes": ["cpe:2.3:a:microsoft:identitymodel:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "7.1.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Identity Model v5.0.0 for Nuget", "cpes": ["cpe:2.3:a:microsoft:identitymodel_for_nuget:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "0", "lessThan": "5.7.0", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Identity Denial of service vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-20: Improper Input Validation", "lang": "en-US", "type": "CWE", "cweId": "CWE-20"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-10-08T15:40:06.745Z"}, "references": [{"name": "Microsoft Identity Denial of service vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:39.921Z"}, "title": "CVE Program Container", "references": [{"name": "Microsoft Identity Denial of service vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "498DF6C9-EC7C-4A4F-A188-B22E82FD6540", "versionEndExcluding": "6.0.26", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CE00AC7-D405-4567-8CB1-C3ED7E2925C6", "versionEndExcluding": "7.0.15", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "8583992E-20C5-4437-ACFE-22FEBD539E4C", "versionEndExcluding": "8.0.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:identity_model:*:*:*:*:*:.net:*:*", "matchCriteriaId": "F39C475D-FDCE-4DE1-B936-01D268FD7645", "versionEndExcluding": "5.7.0", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:identity_model:*:*:*:*:*:.net:*:*", "matchCriteriaId": "A286ABF0-E7B7-44E0-9EF1-0226BDD5338A", "versionEndExcluding": "6.34.0", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:identity_model:*:*:*:*:*:.net:*:*", "matchCriteriaId": "B12074D2-B6C2-4797-BCE8-27A5E6314FB1", "versionEndExcluding": "7.1.2", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "42B33777-27CB-45CC-A95A-3F4369DBB31D", "versionEndExcluding": "17.2.23", "versionStartIncluding": "17.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "E578915C-4563-4767-A1F9-7C0ADF58BDA6", "versionEndExcluding": "17.4.15", "versionStartIncluding": "17.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB1E1DB4-BE9A-48E9-808D-E239CFDB26BA", "versionEndExcluding": "17.6.11", "versionStartIncluding": "17.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A6D3ECE-ED4D-4778-900F-4D4E1D05F00E", "versionEndExcluding": "17.8.4", "versionStartIncluding": "17.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Identity Denial of service vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de denegaci\u00f3n de servicio de identidad de Microsoft"}], "id": "CVE-2024-21319", "lastModified": "2024-05-29T00:15:19.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2024-01-09T19:15:12.070", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0255", "cpe": "cpe:/a:redhat:rhel_dotnet:6.0::el7", "package": "rh-dotnet60-dotnet-0:6.0.126-1.el7_9", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2024-01-15T00:00:00Z"}, {"advisory": "RHSA-2024:0150", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet8.0-0:8.0.101-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0157", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet7.0-0:7.0.115-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0158", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet6.0-0:6.0.126-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0151", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet7.0-0:7.0.115-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0152", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet8.0-0:8.0.101-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0156", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet6.0-0:6.0.126-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-10T00:00:00Z"}], "bugzilla": {"description": "dotnet: .NET Denial of Service Vulnerability", "id": "2257566", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257566"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Microsoft Identity Denial of service vulnerability", "A Denial of Service vulnerability was found in .NET Core project templates that utilize JWT-based authentication tokens. This issue may allow an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21319", "public_date": "2024-01-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21319\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21319\nhttps://github.com/dotnet/core/blob/ce802c56fde3abe2ae14ad09a1b8991b6709c18b/release-notes/6.0/6.0.26/6.0.26.md"], "statement": "This DoS vulnerability in .NET Core project templates utilizing JWT-based authentication tokens is considered a moderate issue due to its restricted impact. While unauthenticated clients can exploit the server's memory, potentially causing an out-of-memory condition and service disruption, the vulnerability does not lead to remote code execution or compromise sensitive data. Its exploitability is contingent on specific project configurations, limiting the scope of affected systems.", "threat_severity": "Moderate", "upstream_fix": ".NET SDK 6.0.126 and .NET Runtime 6.0.26 and .NET SDK 7.0.115 and .NET Runtime 7.0.15"}