Miggo Logo

CVE-2021-1721: Denial of service in .NET core

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.91156%
CWE
-
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.NETCore.Appnuget>= 2.1.0, < 2.1.252.1.25
Microsoft.NETCore.App.Host.linux-armnuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.linux-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.linux-musl-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.linux-musl-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.linux-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.osx-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.rhel.6-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.win-armnuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.win-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.win-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Host.win-x86nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.linux-armnuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.linux-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.linux-musl-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.linux-musl-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.linux-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.osx-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.rhel.6-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.win-armnuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.win-arm64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.win-x64nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.win-x86nuget>= 3.1.0, < 3.1.123.1.12
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.Mono.osx-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.android-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.android-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.android-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.android-x86nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.browser-wasmnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.ios-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.ios-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.ios-x86nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-musl-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-musl-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-musl-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.linux-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.osx-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.tvos-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.tvos-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.win-armnuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.win-arm64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.win-x64nuget>= 5.0.0, < 5.0.35.0.3
Microsoft.NETCore.App.Runtime.win-x86nuget>= 5.0.0, < 5.0.35.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions X509 certificate chain building during HTTPS requests as the attack vector. The X509Chain.Build method is the core component responsible for certificate chain validation in .NET. The advisory indicates fixes were applied across multiple runtime versions, suggesting a fundamental flaw in chain validation logic. While specific commit details aren't available, the technical context of certificate processing and the critical role of X509Chain.Build in chain validation make it the most likely vulnerable component with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

.N*T *or* *n* Visu*l Stu*io **ni*l o* S*rvi** Vuln*r**ility *u* to * vuln*r**ility w*i** *xists w**n *r**tin* *TTPS w** r*qu*st *urin* X*** **rti*i**t* ***in *uil*in*.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions X*** **rti*i**t* ***in *uil*in* *urin* *TTPS r*qu*sts *s t** *tt**k v**tor. T** X******in.*uil* m*t*o* is t** *or* *ompon*nt r*sponsi*l* *or **rti*i**t* ***in v*li**tion in .N*T. T** **visory in*i**t*