OpenCVE

.NET and Visual Studio Denial of Service Vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	.net Powershell Visual Studio Visual Studio 2022
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
dotnet7.0-0:7.0.117-1.el8_9	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:1308	2024-03-13T00:00:00Z
dotnet8.0-0:8.0.103-1.el8_9	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:1311	2024-03-13T00:00:00Z
Red Hat Enterprise Linux 9
dotnet7.0-0:7.0.117-1.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:1309	2024-03-13T00:00:00Z
dotnet8.0-0:8.0.103-2.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:1310	2024-03-13T00:00:00Z

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392
https://nvd.nist.gov/vuln/detail/CVE-2024-21392
https://www.cve.org/CVERecord?id=CVE-2024-21392

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2024-03-12T16:57:42.012Z

Updated: 2024-08-01T22:20:40.420Z

Reserved: 2023-12-08T22:45:20.454Z

Link: CVE-2024-21392

Vulnrichment

Updated: 2024-08-01T22:20:40.420Z

NVD

Status : Awaiting Analysis

Published: 2024-03-12T17:15:49.637

Modified: 2024-05-29T00:15:32.400

Link: CVE-2024-21392

Redhat

Severity : Moderate

Publid Date: 2024-03-12T00:00:00Z

Links: CVE-2024-21392 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21392", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-12-08T22:45:20.454Z", "datePublished": "2024-03-12T16:57:42.012Z", "dateUpdated": "2024-08-01T22:20:40.420Z"}, "containers": {"cna": {"title": ".NET and Visual Studio Denial of Service Vulnerability", "datePublic": "2024-03-12T07:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0", "lessThan": "17.9.3", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "PowerShell 7.3", "cpes": ["cpe:2.3:a:microsoft:powershell:7.3:-:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.3.0", "lessThan": "7.3.12", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "PowerShell 7.4", "cpes": [], "platforms": ["Unknown"], "versions": [{"version": "N/A", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 7.0", "cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.0.0", "lessThan": "7.0.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 8.0", "cpes": ["cpe:2.3:a:microsoft:.net:8.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "8.0.3", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.13", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.8.0", "lessThan": "17.8.8", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": ".NET and Visual Studio Denial of Service Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en-US", "type": "CWE", "cweId": "CWE-400"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-11T15:09:29.487Z"}, "references": [{"name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-12T19:02:46.047938Z", "id": "CVE-2024-21392", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:27:30.599Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.420Z"}, "title": "CVE Program Container", "references": [{"name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392", "name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21392", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T19:02:46.047938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:27:28.373Z"}}], "cna": {"title": ".NET and Visual Studio Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "versions": [{"status": "affected", "version": "17.0", "lessThan": "17.9.3", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:powershell:7.3:-:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "PowerShell 7.3", "versions": [{"status": "affected", "version": "7.3.0", "lessThan": "7.3.12", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": [], "vendor": "Microsoft", "product": "PowerShell 7.4", "versions": [{"status": "affected", "version": "N/A"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 7.0", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.17", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:8.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 8.0", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "8.0.3", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "versions": [{"status": "affected", "version": "17.6.0", "lessThan": "17.6.13", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "versions": [{"status": "affected", "version": "17.4.0", "lessThan": "17.4.17", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "versions": [{"status": "affected", "version": "17.8.0", "lessThan": "17.8.8", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2024-03-12T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392", "name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": ".NET and Visual Studio Denial of Service Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-11T15:09:29.487Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21392", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:20:40.420Z", "dateReserved": "2023-12-08T22:45:20.454Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-03-12T16:57:42.012Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"affected_release": [{"advisory": "RHSA-2024:1308", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet7.0-0:7.0.117-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1311", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet8.0-0:8.0.103-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1309", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet7.0-0:7.0.117-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1310", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet8.0-0:8.0.103-2.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-13T00:00:00Z"}], "bugzilla": {"description": "dotnet: DoS in .NET Core / YARP HTTP / 2 WebSocket support", "id": "2268266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268266"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": [".NET and Visual Studio Denial of Service Vulnerability", "A vulnerability was found in dotnet. The YARP HTTP/2 WebSocket support in .NET Core can cause a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21392", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:6.0", "fix_state": "Not affected", "package_name": "rh-dotnet60-dotnet", "product_name": ".NET 6.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21392\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21392"], "statement": "The versions of dotnet6.0, as shipped within Red Hat-supported products, are not affected by this issue.", "threat_severity": "Moderate", "upstream_fix": "dotnet 8.0, dotnet 7.0"}