{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21392", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-12-08T22:45:20.454Z", "datePublished": "2024-03-12T16:57:42.012Z", "dateUpdated": "2024-08-01T22:20:40.420Z"}, "containers": {"cna": {"title": ".NET and Visual Studio Denial of Service Vulnerability", "datePublic": "2024-03-12T07:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0", "lessThan": "17.9.3", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "PowerShell 7.3", "cpes": ["cpe:2.3:a:microsoft:powershell:7.3:-:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.3.0", "lessThan": "7.3.12", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "PowerShell 7.4", "cpes": [], "platforms": ["Unknown"], "versions": [{"version": "N/A", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 7.0", "cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "7.0.0", "lessThan": "7.0.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 8.0", "cpes": ["cpe:2.3:a:microsoft:.net:8.0.0:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "8.0.3", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.13", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.8.0", "lessThan": "17.8.8", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": ".NET and Visual Studio Denial of Service Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en-US", "type": "CWE", "cweId": "CWE-400"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-11T15:09:29.487Z"}, "references": [{"name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-12T19:02:46.047938Z", "id": "CVE-2024-21392", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:27:30.599Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.420Z"}, "title": "CVE Program Container", "references": [{"name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392", "name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21392", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T19:02:46.047938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:27:28.373Z"}}], "cna": {"title": ".NET and Visual Studio Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "versions": [{"status": "affected", "version": "17.0", "lessThan": "17.9.3", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:powershell:7.3:-:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "PowerShell 7.3", "versions": [{"status": "affected", "version": "7.3.0", "lessThan": "7.3.12", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": [], "vendor": "Microsoft", "product": "PowerShell 7.4", "versions": [{"status": "affected", "version": "N/A"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 7.0", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.17", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:8.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 8.0", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "8.0.3", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "versions": [{"status": "affected", "version": "17.6.0", "lessThan": "17.6.13", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "versions": [{"status": "affected", "version": "17.4.0", "lessThan": "17.4.17", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "versions": [{"status": "affected", "version": "17.8.0", "lessThan": "17.8.8", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2024-03-12T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392", "name": ".NET and Visual Studio Denial of Service Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": ".NET and Visual Studio Denial of Service Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-11T15:09:29.487Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21392", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:20:40.420Z", "dateReserved": "2023-12-08T22:45:20.454Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-03-12T16:57:42.012Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "703B87E9-C6D6-4C68-B8FE-339ECB852751", "versionEndExcluding": "7.0.17", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B63FDDA-5C8D-4B45-B92C-6D8A12B40493", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:powershell:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC909F7F-388D-4407-951A-3D22C6061EBC", "versionEndExcluding": "7.3.12", "versionStartIncluding": "7.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:powershell:7.4:-:*:*:*:*:*:*", "matchCriteriaId": "FFAAFDC7-5AA2-43E6-BE0B-7E0C02FC39C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5439C09-DAAE-443D-8789-CFF1D256F043", "versionEndExcluding": "17.4.17", "versionStartIncluding": "17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "773E7E41-31D8-4F6A-AE0B-3B2C217D6A19", "versionEndExcluding": "17.6.13", "versionStartIncluding": "17.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "44E68F4D-72A4-466D-BF96-CB21C0FC8716", "versionEndExcluding": "17.8.8", "versionStartIncluding": "17.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "F44D9E3A-06AA-453D-AB1A-B25BD7591912", "versionEndExcluding": "17.9.3", "versionStartIncluding": "17.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": ".NET and Visual Studio Denial of Service Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de denegaci\u00f3n de servicio en .NET y Visual Studio"}], "id": "CVE-2024-21392", "lastModified": "2024-11-29T20:52:32.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-12T17:15:49.637", "references": [{"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1308", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet7.0-0:7.0.117-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1311", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet8.0-0:8.0.103-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1309", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet7.0-0:7.0.117-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1310", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet8.0-0:8.0.103-2.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-13T00:00:00Z"}], "bugzilla": {"description": "dotnet: DoS in .NET Core / YARP HTTP / 2 WebSocket support", "id": "2268266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268266"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": [".NET and Visual Studio Denial of Service Vulnerability", "A vulnerability was found in dotnet. The YARP HTTP/2 WebSocket support in .NET Core can cause a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21392", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:6.0", "fix_state": "Not affected", "package_name": "rh-dotnet60-dotnet", "product_name": ".NET 6.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21392\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21392"], "statement": "The versions of dotnet6.0, as shipped within Red Hat-supported products, are not affected by this issue.", "threat_severity": "Moderate", "upstream_fix": "dotnet 8.0, dotnet 7.0"}