First published: Tue Sep 13 2022(Updated: )
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.8 or earlier. * Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name="ASP.NET Core 3.1"></a>.NET Core 3.1 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 3.1.5, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 3.1.0, < 3.1.29|3.1.29 ### <a name=".NET 6"></a>.NET 6 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)|>= 5.0.1, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 5.0.0, < 6.0.9|6.0.9 ### Other Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013
Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft .NET | =6.0.0 | |
Microsoft .NET Core | =3.1 | |
Microsoft Visual Studio 2019 | =16.9 | |
Microsoft Visual Studio 2019 | =16.11 | |
Microsoft Visual Studio 2022 | =17.0 | |
Microsoft Visual Studio 2022 | =17.2 | |
Microsoft Visual Studio 2022 | =17.3 | |
Microsoft Visual Studio 2022 | =17.3 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
nuget/Microsoft.AspNetCore.App.Runtime.win-x86 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.win-x64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.win-arm64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.win-arm | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.osx-x64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-x64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm | >=5.0.0<6.0.9 | 6.0.9 |
nuget/Microsoft.AspNetCore.App.Runtime.win-x86 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.win-x64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.win-arm64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.win-arm | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.osx-x64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-x64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=3.1.0<3.1.29 | 3.1.29 |
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm | >=3.1.0<3.1.29 | 3.1.29 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-38013 is a denial of service vulnerability in .NET Core and Visual Studio.
The affected software includes Microsoft .NET 6.0.0, Microsoft .NET Core 3.1, Microsoft Visual Studio 2019 versions 16.9 and 16.11, and Microsoft Visual Studio 2022 versions 17.0, 17.2, and 17.3.
CVE-2022-38013 has a severity rating of high (7.5).
To fix CVE-2022-38013, it is recommended to update to the latest versions of the affected software.
You can find more information about CVE-2022-38013 at the following references: [link 1](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY/), [link 2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE/), [link 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y/)