CVE-2023-36799: .NET Core and Visual Studio Denial of Service Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Sep

Released

2023-09-12

Last Updated

2023-10-24

EPSS Score

1.14% (percentile: 78.4%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious request and convince them to open it.

Affected Products (8)

Developer Tools

• .NET 6.0
• .NET 7.0
• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.7
• Microsoft Visual Studio 2022 version 17.6
• PowerShell 7.2
• PowerShell 7.3

Security Updates (6)

• 5032874
• 5032875
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Kevin Jones, GitHub

Revision History

• 2023-09-12: Information published.
• 2023-09-19: Revised the Security Updates table to include PowerShell 7.2 and PowerShell 7.3 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/49 for more information.
• 2023-10-24: To comprehensively address this vulnerability, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers install the updates to be fully protected from the vulnerability.