From 97c2aee39352a4e4138a9d5f022432fe98a87fb6 Mon Sep 17 00:00:00 2001 From: Rahul Bhandari Date: Wed, 24 Jan 2024 16:33:12 -0800 Subject: [PATCH] Update cve.md for all .NET Releases --- release-notes/6.0/cve.md | 59 +++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 31 deletions(-) diff --git a/release-notes/6.0/cve.md b/release-notes/6.0/cve.md index 905fc96ebb..44f6a15ca8 100644 --- a/release-notes/6.0/cve.md +++ b/release-notes/6.0/cve.md @@ -1,18 +1,18 @@ # .NET 6 CVEs -The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable. +The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. Your app needs to be on the latest .NET 6 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs. ## Which CVEs apply to my app? -Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older. +Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using an older .NET 6 patch version. + - 6.0.26 (January 2024) + - [CVE-2024-0056 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292) + - [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291) - [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290) - - [CVE-2024-0057 | .NET Security Feature bypass Vulnerability](https://github.com/dotnet/announcements/issues/291) - - [CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292) - 6.0.25 (November 2023) - - [CVE-2023-36038 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/286) - [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287) - [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288) - 6.0.24 (October 2023) @@ -33,9 +33,10 @@ Your app may be vulnerable to the following published security [CVEs](https://ww - 6.0.21 (August 2023) - [CVE-2023-35390 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/266) - [CVE-2023-38180 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/269) - - [CVE-2023-38178 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/268) - [CVE-2023-35391 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/267) - 6.0.20 (July 2023) + - No new CVEs. +- 6.0.19 (June 2023) - [CVE-2023-24895 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/261) - [CVE-2023-24897 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/260) - [CVE-2023-24936 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/259) @@ -45,50 +46,46 @@ Your app may be vulnerable to the following published security [CVEs](https://ww - [CVE-2023-33126 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/254) - [CVE-2023-33128 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/253) - [CVE-2023-33135 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/252) -- 6.0.19 (June 2023) - - No additional CVEs. - 6.0.18 (June 2023) - - No additional CVEs. + - No new CVEs. - 6.0.17 (May 2023) - - No additional CVEs. + - No new CVEs. - 6.0.16 (April 2023) - - No additional CVEs. + - [CVE-2023-28260 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/250) - 6.0.15 (March 2023) - - No additional CVEs. + - No new CVEs. - 6.0.14 (February 2023) - [CVE-2023-21808 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/247) - 6.0.13 (January 2023) - - [CVE 2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244) + - [CVE-2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244) - 6.0.12 (December 2022) - - [CVE 2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242) + - [CVE-2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242) - 6.0.11 (November 2022) - - No additional CVEs. + - No new CVEs. - 6.0.10 (October 2022) - - No additional CVEs. + - [CVE-2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236) - 6.0.9 (September 2022) - - [CVE 2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236) + - [CVE-2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234) - 6.0.8 (August 2022) - - [CVE 2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234) + - [CVE-2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232) - 6.0.7 (July 2022) - - [CVE 2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232) + - No new CVEs. - 6.0.6 (June 2022) - - No additional CVEs. + - [CVE-2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225) - 6.0.5 (May 2022) - - [CVE 2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225) + - [CVE-2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222) + - [CVE-2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221) + - [CVE-2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220) - 6.0.4 (April 2022) - - [CVE 2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222) - - [CVE 2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221) - - [CVE 2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220) + - No new CVEs. - 6.0.3 (March 2022) - - No additional CVEs. -- 6.0.2 (February 2022) - [CVE-2022-24512 | .NET Remote Code Execution](https://github.com/dotnet/announcements/issues/213) - [CVE-2022-24464 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/212) -- 6.0.1 (December 2021 +- 6.0.2 (February 2022) - [CVE-2022-21986 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/207) -- 6.0.0 (November 2021) +- 6.0.1 (December 2021) - [CVE-2021-43877 | ASP.NET Core Elevation of privilege Vulnerability](https://github.com/dotnet/announcements/issues/206) +- 6.0.0 (November 2021) + - No new CVEs. -The CVEs are displayed one month offset from when they were released. For example, the CVE listed with `6.0.0` was disclosed and a fix was published with `6.0.1`. `6.0.1` is not vulnerable to that CVE while `6.0.0` is. As a result, the CVE is listed with `6.0.0`, where it still applies. The same model is used for the other releases. - -The CVE exposure is cumulative. For example, `6.0.0` users may be vulnerable to the CVEs present in `6.0.0` and newer releases. Similarly, `6.0.3` users may be vulnerable to the CVEs present in `6.0.4` and newer releases. The latest release is not vulnerable to any published CVEs. +CVE exposure is cumulative. For example, apps running on the `6.0.0` release may be vulnerable to the CVEs present in `6.0.1` and newer releases. The latest release is not vulnerable to any published CVEs.