7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23267

GHSA ID

GHSA-485p-mrj5-8w2v

EPSS Score

0.83043%

CWE

CWE-400

Published

10/21/2022

Updated

1/2/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23267

CVE-2022-23267: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.

Affected software

Any .NET 6.0 application running on .NET 6.0.4 or earlier.
Any .NET 5.0 application running .NET 5.0.16 or earlier.
Any .NET Core 3.1 applicaiton running on .NET Core 3.1.24 or earlier.

Patches

If you're using .NET Core 6.0, you should download and install Runtime 6.0.5 or SDK 6.0.105 (for Visual Studio 2022 v17.0) or SDK 6.0.203 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
If you're using .NET 5.0, you should download and install Runtime 5.0.17 or SDK 5.0.214 (for Visual Studio 2019 v16.9) or SDK 5.0.408 (for Visual Studio 2011 v16.11) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.25 or SDK 3.1.419 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1 ) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/221 An Issue for this can be found at https://github.com/dotnet/runtime/issues/69149 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23267

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23267

CVE-2022-23267:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23267

GHSA ID

GHSA-485p-mrj5-8w2v

EPSS Score

0.83043%

CWE

CWE-400

Published

10/21/2022

Updated

1/2/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 3.0.0, < 3.1.25	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 5.0.0, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	nuget	>= 5.0.1, < 5.0.17	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.osx-arm64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 6.0.0, < 6.0.5	6.0.5
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 6.0.0, < 6.0.5	6.0.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CWE-400) stems from uncontrolled memory allocations via HttpClient. The provided advisory and CVE details indicate that malicious clients exploit this by triggering excessive memory usage. Key functions involved in reading HTTP content (e.g., ReadAsByteArrayAsync) or managing request/response cycles (e.g., SendAsync in SocketsHttpHandler) are prime candidates. These functions directly handle input that, without proper size validation, lead to resource exhaustion. The confidence is 'medium' due to the lack of explicit patch code, but the functions align with the described vulnerability mechanism and .NET's HTTP stack design.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23267: .NET Denial of Service Vulnerability

Affected software

Patches

Other Details

CVE-2022-23267:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-23267: .NET Denial of Service Vulnerability

Affected software

Patches

Other Details

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23267: .NET Denial of Service Vulnerability

Affected software

Patches

Other Details

CVE-2022-23267:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-23267: .NET Denial of Service Vulnerability

Affected software

Patches

Other Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI