Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
An attacker could exploit this vulnerability by crafting a malicious payload that bypasses the security checks in the affected System.Security.Cryptography.Cose versions, potentially leading to unauthorized access or data manipulation.
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/380
If your application does not use System.Security.Cryptography.Cose it is not affected. By default, no .NET applications reference this component.
The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below
Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.Cose | >= 10.0.0, <= 10.0.2 | 10.0.3
Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.Cose | >= 9.0.0, <= 9.0.12 | 9.0.13
Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.Cose | >= 8.0.0, <= 8.0.1 | 8.0.2
10.0.38.0.29.0.13Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:HVA:NSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N