CVE-2024-38167: .NET and Visual Studio Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Aug

Released

2024-08-13

Last Updated

2024-10-11

EPSS Score

1.99% (percentile: 83.6%)

FAQ

What type of information could be disclosed by this vulnerability? An attacker who successfully exploited the vulnerability could read targeted email messages. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a user trigger the payload in the application.

Affected Products (4)

Developer Tools

• Microsoft Visual Studio 2022 version 17.10
• Microsoft Visual Studio 2022 version 17.8
• .NET 8.0
• Microsoft Visual Studio 2022 version 17.6

Security Updates (4)

• Release Notes
• Release Notes
• 5042132
• Release Notes

Acknowledgments

Alex Appleton, D. E. Shaw & Co., L.P., <a href="https://www.linkedin.com/in/rokonec/">Roman Konecny</a>, Microsoft

Revision History

• 2024-08-13: Information published.
• 2024-09-27: Acknowledgement added. This is an informational change only.
• 2024-10-11: Added an acknowledgement. This is an informational change only.