HIGH 7.5
GHSA-242j-2gm6-5rwx
ASP.NET Core and Visual Studio Denial of Service Vulnerability
Details
A denial-of-service vulnerability exists in the way Kestrel parses HTTP/2 requests. The security update addresses the vulnerability by fixing the way the Kestrel parses HTTP/2 requests. Users are advised to upgrade.
Are you affected?
Enter the version of the package you're using.
Affected packages
NuGet / Microsoft.AspNetCore.Server.Kestrel.Core
Introduced in:
0 Fixed in: 2.1.25 Fix
dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core --version 2.1.25 NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.linux-arm64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-x64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-x64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-x64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.linux-x64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-x64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.osx-x64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.osx-x64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.osx-x64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.win-arm
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.win-arm
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.win-arm64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.win-x64
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-x64 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.win-x64
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-x64 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.win-x86
Introduced in:
3.1.0 Fixed in: 3.1.11 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-x86 --version 3.1.11 NuGet / Microsoft.AspNetCore.App.Runtime.win-x86
Introduced in:
5.0.0 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.win-x86 --version 5.0.2 NuGet / Microsoft.AspNetCore.App.Runtime.linux-musl-arm
Introduced in:
5.0.1 Fixed in: 5.0.2 Fix
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm --version 5.0.2 References
- https://nvd.nist.gov/vuln/detail/CVE-2021-1723 [ADVISORY]
- https://github.com/dotnet/announcements/issues/170 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3L27CGRVEWUPELNJOGTCW6GLEDBECB4B [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRXHERXW4KR5WCP76UDW5PC7GX3YQLUW [WEB]
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1723 [WEB]