Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cve.md for all .NET Releases #9086

Merged
merged 4 commits into from
Jan 25, 2024
Merged

Update cve.md for all .NET Releases #9086

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
97c2aee
Update cve.md for all .NET Releases
rbhanda Jan 25, 2024
f7509de
Create cve.md
rbhanda Jan 25, 2024
75d8bf1
Create cve.md
rbhanda Jan 25, 2024
42b2567
Update release-notes/6.0/cve.md
rbhanda Jan 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 28 additions & 31 deletions release-notes/6.0/cve.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
# .NET 6 CVEs

The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.
The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes.

Your app needs to be on the latest .NET 6 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.

## Which CVEs apply to my app?

Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.
Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using an older .NET 6 patch version.

- 6.0.26 (January 2024)
- [CVE-2024-0056](https://github.com/dotnet/announcements/issues/292) | .NET Information Disclosure Vulnerability
- [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
- [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
- [CVE-2024-0057 | .NET Security Feature bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
- [CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
- 6.0.25 (November 2023)
- [CVE-2023-36038 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/286)
- [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
- [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
- 6.0.24 (October 2023)
Expand All @@ -33,9 +33,10 @@ Your app may be vulnerable to the following published security [CVEs](https://ww
- 6.0.21 (August 2023)
- [CVE-2023-35390 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/266)
- [CVE-2023-38180 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/269)
- [CVE-2023-38178 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/268)
- [CVE-2023-35391 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/267)
- 6.0.20 (July 2023)
- No new CVEs.
- 6.0.19 (June 2023)
- [CVE-2023-24895 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/261)
- [CVE-2023-24897 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/260)
- [CVE-2023-24936 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/259)
Expand All @@ -45,50 +46,46 @@ Your app may be vulnerable to the following published security [CVEs](https://ww
- [CVE-2023-33126 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/254)
- [CVE-2023-33128 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/253)
- [CVE-2023-33135 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/252)
- 6.0.19 (June 2023)
- No additional CVEs.
- 6.0.18 (June 2023)
- No additional CVEs.
- No new CVEs.
- 6.0.17 (May 2023)
- No additional CVEs.
- No new CVEs.
- 6.0.16 (April 2023)
- No additional CVEs.
- [CVE-2023-28260 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/250)
- 6.0.15 (March 2023)
- No additional CVEs.
- No new CVEs.
- 6.0.14 (February 2023)
- [CVE-2023-21808 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/247)
- 6.0.13 (January 2023)
- [CVE 2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244)
- [CVE-2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244)
- 6.0.12 (December 2022)
- [CVE 2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
- [CVE-2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
- 6.0.11 (November 2022)
- No additional CVEs.
- No new CVEs.
- 6.0.10 (October 2022)
- No additional CVEs.
- [CVE-2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236)
- 6.0.9 (September 2022)
- [CVE 2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236)
- [CVE-2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234)
- 6.0.8 (August 2022)
- [CVE 2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234)
- [CVE-2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232)
- 6.0.7 (July 2022)
- [CVE 2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232)
- No new CVEs.
- 6.0.6 (June 2022)
- No additional CVEs.
- [CVE-2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225)
- 6.0.5 (May 2022)
- [CVE 2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225)
- [CVE-2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222)
- [CVE-2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221)
- [CVE-2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220)
- 6.0.4 (April 2022)
- [CVE 2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222)
- [CVE 2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221)
- [CVE 2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220)
- No new CVEs.
- 6.0.3 (March 2022)
- No additional CVEs.
- 6.0.2 (February 2022)
- [CVE-2022-24512 | .NET Remote Code Execution](https://github.com/dotnet/announcements/issues/213)
- [CVE-2022-24464 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/212)
- 6.0.1 (December 2021
- 6.0.2 (February 2022)
- [CVE-2022-21986 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/207)
- 6.0.0 (November 2021)
- 6.0.1 (December 2021)
- [CVE-2021-43877 | ASP.NET Core Elevation of privilege Vulnerability](https://github.com/dotnet/announcements/issues/206)
- 6.0.0 (November 2021)
- No new CVEs.

The CVEs are displayed one month offset from when they were released. For example, the CVE listed with `6.0.0` was disclosed and a fix was published with `6.0.1`. `6.0.1` is not vulnerable to that CVE while `6.0.0` is. As a result, the CVE is listed with `6.0.0`, where it still applies. The same model is used for the other releases.

The CVE exposure is cumulative. For example, `6.0.0` users may be vulnerable to the CVEs present in `6.0.0` and newer releases. Similarly, `6.0.3` users may be vulnerable to the CVEs present in `6.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.
CVE exposure is cumulative. For example, apps running on the `6.0.0` release may be vulnerable to the CVEs present in `6.0.1` and newer releases. The latest release is not vulnerable to any published CVEs.
70 changes: 70 additions & 0 deletions release-notes/7.0/cve.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# .NET 7 CVEs

The .NET Team releases [monthly updates for .NET 7](https://github.com/dotnet/announcements/labels/.NET%207.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.

Your app needs to be on the latest .NET 7 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.

## Which CVEs apply to my app?

Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.

- 7.0.15 (January 2024)
- [CVE-2024-0056 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
- [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
- [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
- 7.0.14 (November 2023)
- [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
- [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
- 7.0.13 (October 2023)
- [CVE-2023-36435 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/281)
- [CVE-2023-38171 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/280)
- [CVE-2023-44487 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/282)
- [CVE-2023-36799 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/275)
- [CVE-2023-36796 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/274)
- [CVE-2023-36793 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/273)
- [CVE-2023-36794 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/272)
- [CVE-2023-36792 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/271)
- 7.0.12 (October 2023)
- [CVE-2023-36435 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/281)
- [CVE-2023-38171 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/280)
- [CVE-2023-44487 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/277)
- 7.0.11 (September 2023)
- [CVE-2023-36799 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/275)
- [CVE-2023-36796 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/274)
- [CVE-2023-36793 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/273)
- [CVE-2023-36794 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/272)
- [CVE-2023-36792 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/271)
- 7.0.10 (August 2023)
- [CVE-2023-35390 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/266)
- [CVE-2023-35391 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/267)
- [CVE-2023-38178 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/268)
- [CVE-2023-38180 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/269)
- 7.0.9 (July 2023)
- [CVE-2023-33127 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/263)
- [CVE-2023-33170 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/264)
- 7.0.8 (June 2023)
- No new CVEs.
- 7.0.7 (June 2023)
- [CVE-2023-24895 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/261)
- [CVE-2023-24897 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/260)
- [CVE-2023-24936 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/259)
- [CVE-2023-29331 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/257)
- [CVE-2023-29337 | Nuget Client Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/256)
- [CVE-2023-32032 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/255)
- [CVE-2023-33126 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/254)
- [CVE-2023-33128 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/253)
- [CVE-2023-33135 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/252)
- 7.0.5 (April 2023)
- [CVE-2023-28260 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/250)
- 7.0.4 (March 2023)
- No new CVEs.
- 7.0.3 (February 2023)
- [CVE-2023-21808 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/247)
- 7.0.2 (January 2023)
- No new CVEs.
- 7.0.1 (December 2022)
- [CVE-2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
- 7.0.0 (November 2022)
- No new CVEs.

The CVE exposure is cumulative. For example, `7.0.0` users may be vulnerable to the CVEs present in `7.0.0` and newer releases. Similarly, `7.0.3` users may be vulnerable to the CVEs present in `7.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.
19 changes: 19 additions & 0 deletions release-notes/8.0/cve.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# .NET 8 CVEs

The .NET Team releases [monthly updates for .NET 8](https://github.com/dotnet/announcements/labels/.NET%208.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.

Your app needs to be on the latest .NET 8 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.

## Which CVEs apply to my app?

Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.
- 8.0.1 (January 2024)
- [CVE-2024-0056 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
- [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
- [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
- 8.0.0 (November 2023)
- [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
- [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
- [CVE-2023-36038 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/286)

The CVE exposure is cumulative. For example, `8.0.0` users may be vulnerable to the CVEs present in `8.0.0` and newer releases. Similarly, `8.0.3` users may be vulnerable to the CVEs present in `8.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.
Loading