{
"schema_version": "1.4.0",
"id": "GHSA-r8m2-4x37-6592",
"modified": "2025-01-02T21:59:08Z",
"published": "2022-09-15T03:25:36Z",
"aliases": [
"CVE-2022-38013"
],
"summary": ".NET Denial of Service Vulnerability",
"details": "Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.\n\n## Affected software\n* Any .NET 6.0 application running on .NET 6.0.8 or earlier.\n* Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier.\nIf your application uses the following package versions, ensure you update to the latest version of .NET.\n### .NET Core 3.1\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 3.1.5, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 3.1.0, < 3.1.29|3.1.29\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 3.1.0, < 3.1.29|3.1.29\n### .NET 6\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)|>= 5.0.1, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 5.0.0, < 6.0.9|6.0.9\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 5.0.0, < 6.0.9|6.0.9\n\n\n\n### Other\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/234\nAn Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953\nMSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.29"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.0.9"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-r8m2-4x37-6592"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38013"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/aspnetcore"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45M"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013"
}
],
"database_specific": {
"cwe_ids": [],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:25:36Z",
"nvd_published_at": "2022-09-13T19:15:00Z"
}
}