2257696 – (CVE-2024-20672) CVE-2024-20672 dotnet: dotnet core Denial of Service Vulnerability

Bug 2257696 (CVE-2024-20672) - CVE-2024-20672 dotnet: dotnet core Denial of Service Vulnerability

Summary: CVE-2024-20672 dotnet: dotnet core Denial of Service Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-20672
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2257705
Blocks:	2255383
TreeView+	depends on / blocked

Reported:	2024-01-10 14:06 UTC by TEJ RATHI
Modified:	2025-03-01 08:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-01-10 14:06:10 UTC

.NET Core and Visual Studio Denial of Service Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20672

Comment 5 Omair Majid 2024-05-15 20:54:59 UTC

I have received word from Microsoft that this CVE does not apply to Linux.

Comment 6 Omair Majid 2024-05-29 15:22:40 UTC

https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.31/6.0.31.md#notable-changes says:

> CVE-2024-20672 | .NET Denial of Service Vulnerability
>
> Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
>
> A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service. This vulnerabilty only affects macOS.

Note You need to log in before you can comment on or make changes to this bug.