CVE-2023-38180
Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
.NET and Visual Studio Denial of Service Vulnerability
An uncontrolled resource consumption vulnerability was found in the Kestrel component of the dotNET. When detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in denial of service.
It was discovered that .NET did not properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution. Benoit Foucher discovered that .NET did not properly implement the QUIC stream limit in HTTP/3. An attacker could possibly use this issue to cause a denial of service. It was discovered that .NET did not properly handle the disconnection of potentially malicious clients interfacing with a Kestrel server. An attacker could possibly use this issue to cause a denial of service.
Microsoft .NET Core and Visual Studio contain an unspecified vulnerability that allows for denial-of-service (DoS).
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2023-07-12 CVE Reserved
- 2023-08-08 CVE Published
- 2023-08-09 Exploited in Wild
- 2023-08-30 KEV Due Date
- 2025-02-26 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (5)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180 | 2024-06-27 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-38180 | 2023-08-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2228621 | 2023-08-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | .net Search vendor "Microsoft" for product ".net" | 6.0.0 Search vendor "Microsoft" for product ".net" and version "6.0.0" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | .net Search vendor "Microsoft" for product ".net" | 7.0.0 Search vendor "Microsoft" for product ".net" and version "7.0.0" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Asp.net Core Search vendor "Microsoft" for product "Asp.net Core" | 2.1 Search vendor "Microsoft" for product "Asp.net Core" and version "2.1" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Visual Studio 2022 Search vendor "Microsoft" for product "Visual Studio 2022" | >= 17.2.0 < 17.2.18 Search vendor "Microsoft" for product "Visual Studio 2022" and version " >= 17.2.0 < 17.2.18" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Visual Studio 2022 Search vendor "Microsoft" for product "Visual Studio 2022" | >= 17.4.0 < 17.4.10 Search vendor "Microsoft" for product "Visual Studio 2022" and version " >= 17.4.0 < 17.4.10" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Visual Studio 2022 Search vendor "Microsoft" for product "Visual Studio 2022" | >= 17.6.0 < 17.6.6 Search vendor "Microsoft" for product "Visual Studio 2022" and version " >= 17.6.0 < 17.6.6" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||