Bug 2221854 (CVE-2023-33170)
| Summary: | CVE-2023-33170 dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | andrew.slice, bodavis, dbhole, kanderso, lvaleeva, omajid, rwagner, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dotnet 6.0.20, dotnet 7.0.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-13 13:41:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2222062, 2222064, 2222067, 2222069, 2222059, 2222060, 2222061, 2222063, 2222065, 2222066, 2222068, 2222071, 2222072 | ||
| Bug Blocks: | 2221855 | ||
|
Description
TEJ RATHI
2023-07-11 05:28:19 UTC
The CVE is public now: https://github.com/dotnet/core/blob/7cc69f36461a2aefe4c29acb46d6816cd741a8a3/release-notes/7.0/7.0.9/7.0.9.md#notable-changes Created dotnet6.0 tracking bugs for this issue: Affects: fedora-all [bug 2222071] Created dotnet7.0 tracking bugs for this issue: Affects: fedora-all [bug 2222072] References: https://devblogs.microsoft.com/dotnet/july-2023-updates/ https://github.com/advisories/GHSA-25c8-p796-jg6r https://github.com/dotnet/announcements/issues/264 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4058 https://access.redhat.com/errata/RHSA-2023:4058 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4059 https://access.redhat.com/errata/RHSA-2023:4059 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4057 https://access.redhat.com/errata/RHSA-2023:4057 This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2023:4061 https://access.redhat.com/errata/RHSA-2023:4061 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4060 https://access.redhat.com/errata/RHSA-2023:4060 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-33170 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4449 https://access.redhat.com/errata/RHSA-2023:4449 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4448 https://access.redhat.com/errata/RHSA-2023:4448 |