CVE-2021-1721:
Denial of service in .NET core
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91156%
CWE
-
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
C#
C#Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Microsoft.NETCore.App | nuget | >= 2.1.0, < 2.1.25 | 2.1.25 |
| Microsoft.NETCore.App.Host.linux-arm | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.linux-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.linux-musl-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.linux-musl-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.linux-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.osx-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.rhel.6-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.win-arm | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.win-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.win-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Host.win-x86 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.linux-arm | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.linux-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.linux-musl-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.linux-musl-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.linux-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.osx-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.rhel.6-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.win-arm | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.win-arm64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.win-x64 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.win-x86 | nuget | >= 3.1.0, < 3.1.12 | 3.1.12 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.linux-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.linux-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.linux-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.Mono.osx-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.android-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.android-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.android-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.android-x86 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.browser-wasm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.ios-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.ios-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.ios-x86 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-musl-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-musl-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-musl-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.linux-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.osx-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.tvos-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.tvos-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.win-arm | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.win-arm64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.win-x64 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
| Microsoft.NETCore.App.Runtime.win-x86 | nuget | >= 5.0.0, < 5.0.3 | 5.0.3 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability description explicitly mentions X509 certificate chain building during HTTPS requests as the attack vector. The X509Chain.Build method is the core component responsible for certificate chain validation in .NET. The advisory indicates fixes were applied across multiple runtime versions, suggesting a fundamental flaw in chain validation logic. While specific commit details aren't available, the technical context of certificate processing and the critical role of X509Chain.Build in chain validation make it the most likely vulnerable component with high confidence.