GHSA-r8m2-4x37-6592
.NET Denial of Service Vulnerability
상세
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.
## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.8 or earlier. * Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name="ASP.NET Core 3.1"></a>.NET Core 3.1 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 3.1.5, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 3.1.0, < 3.1.29|3.1.29 ### <a name=".NET 6"></a>.NET 6 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)|>= 5.0.1, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 5.0.0, < 6.0.9|6.0.9
### Other
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-x64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-x64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.osx-x64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.win-x64 --version 3.1.29 3.1.0 수정 버전: 3.1.29 dotnet add package Microsoft.AspNetCore.App.Runtime.win-x86 --version 3.1.29 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-arm64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-musl-x64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.linux-x64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.osx-arm64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.osx-x64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.win-arm64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.win-x64 --version 6.0.9 5.0.0 수정 버전: 6.0.9 dotnet add package Microsoft.AspNetCore.App.Runtime.win-x86 --version 6.0.9 참고
- https://github.com/dotnet/aspnetcore/security/advisories/GHSA-r8m2-4x37-6592 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2022-38013 [ADVISORY]
- https://github.com/dotnet/aspnetcore [PACKAGE]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M [WEB]
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013 [WEB]
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013 [WEB]