CVE-2022-34716: .NET Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.9)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Aug

Released

2022-08-09

Last Updated

2023-04-11

EPSS Score

1.11% (percentile: 78.1%)

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to successfully execute a blind XXE attack. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability? Confidentiality is High, if an attacker successfuly exploits this it is information disclosure. While the attacker could read files that shouldn't be exposed, they wouldn't have the ability to modify them in any way (Integrity) or delete them to stop the app or server from functioning (Availability).

Affected Products (9)

Developer Tools

• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.0
• .NET 6.0
• .NET Core 3.1
• PowerShell 7.0
• PowerShell 7.2

Security Updates (8)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• 5016990
• 5016987
• Release Notes

Acknowledgments

Felix Wilhelm of Google Project Zero

Revision History

• 2022-08-09: Information published.
• 2022-08-11: Revised the Security Updates table to include PowerShell 7.0 and PowerShell 7.2 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/33 for more information.
• 2023-04-11: Revised the Security Updates table to include Visual Studio 2017 version 15.9, Visual Studio 2019 version 16.9, Visual Studio 2019 version 16.11, Visual Studio 2022 version 17.0, and Visual Studio 2022 version 17.2 because these versions of Visual Studio are affected by this vulnerability. Customers running these supported versions of Visual Studio should install the August 2022 updates to be protected from this vulnerability. Customers who have already installed the updates do not need to take any further action.