7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29117

GHSA ID

GHSA-3rq8-h3gj-r5c6

EPSS Score

0.83837%

CWE

CWE-400

Published

8/30/2022

Updated

1/2/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29117

CVE-2022-29117: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.

Affected software

Any .NET 6.0 application running on .NET 6.0.4 or earlier.
Any .NET 5.0 application running .NET 5.0.16 or earlier.
Any .NET Core 3.1 application running on .NET Core 3.1.24 or earlier.

Affected packages

.NET Core 3.1

| Package name | Affected versions | Patched versions | |---------------------------------------------------|-------------------|------------------| | Microsoft.Owin.Security.Cookies | <4.2.2 | 4.2.2 | | Microsoft.Owin.Security | <4.2.2 | 4.2.2 | | Microsoft.AspNetCore.App.Runtime.win-x64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-x64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.win-x86 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.osx-x64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-arm | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.win-arm64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.win-arm | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >=3.0.0,3.1.24 | 3.1.25 |

.NET 5.0

| Affected packages | Affected versions | Patched versions | |---------------------------------------------------|-------------------|------------------| | Microsoft.Owin.Security.Cookies | < 4.2.2 | 4.2.2 | | Microsoft.AspNetCore.App.Runtime.win-x64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-x64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.win-x86 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.osx-x64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-arm | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.win-arm64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.win-arm | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=5.0.0,5.0.16 | 5.0.17 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >=5.0.0,5.0.16 | 5.0.17 |

.NET 6.0

| Affected packages | Affected versions | Patched versions | |---------------------------------------------------|-------------------|------------------| | Microsoft.Owin.Security.Cookies | <4.2.2 | 4.2.2 | | Microsoft.AspNetCore.App.Runtime.win-x64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-x64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.win-x86 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.osx-x64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-arm64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-arm | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.win-arm64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.win-arm | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.osx-arm64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >=6.0.0,6.0.4 | 6.0.5 | | Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >=6.0.0,6.0.4 | 6.0.5 |

Patches

If you're using .NET Core 6.0, you should download and install Runtime 6.0.5 or SDK 6.0.105 (for Visual Studio 2022 v17.0) or SDK 6.0.203 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
If you're using .NET 5.0, you should download and install Runtime 5.0.17 or SDK 5.0.214 (for Visual Studio 2019 v16.9) or SDK 5.0.408 (for Visual Studio 2011 v16.11) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.25 or SDK 3.1.419 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1 ) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/220
An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/41608
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29117

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29117

GHSA ID

GHSA-3rq8-h3gj-r5c6

EPSS Score

0.83837%

CWE

CWE-400

Published

8/30/2022

Updated

1/2/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-x64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-x64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-x86	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.osx-x64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	nuget	>= 3.0.0, <= 3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	nuget	>= 5.0.0, <= 5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	nuget	>= 6.0.0, <= 6.0.4	6.0.5
Microsoft.Owin.Security.Cookies	nuget	< 4.2.2	4.2.2
Microsoft.Owin	nuget	< 4.2.2	4.2.2
Microsoft.AspNetCore.App.Runtime.osx-arm64	nuget	>= 6.0.0, < 6.0.5	6.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper cookie handling in OWIN's authentication middleware. Key indicators: 1) The CWE-400 classification points to resource management issues. 2) Affected packages include Microsoft.Owin.Security.Cookies. 3) The patch version 4.2.2 for these packages suggests fixes in cookie processing logic. These functions are core to cookie authentication and would be responsible for parsing/validating untrusted cookie input. The lack of size limits and validation in these functions would allow attackers to exhaust server resources through malicious cookie payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*roso*t is r*l**sin* t*is s**urity **visory to provi** in*orm*tion **out * vuln*r**ility in .N*T *.*, .N*T *.* *n* .N*T *or* *.*. T*is **visory *lso provi**s *ui**n** on w**t **v*lop*rs **n *o to up**t* t**ir *ppli**tions to r*mov* t*is vuln*r**ili

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ooki* **n*lin* in OWIN's *ut**nti**tion mi**l*w*r*. K*y in*i**tors: *) T** *W*-*** *l*ssi*i**tion points to r*sour** m*n***m*nt issu*s. *) *****t** p**k***s in*lu** Mi*roso*t.Owin.S**urity.*ooki*s. *) T** p*t**

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-29117: .NET Denial of Service Vulnerability

Affected software

Affected packages

Patches

Other Details

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI