GHSA-w3x6-4m5h-cxqf

Executive Summary:

Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in EncryptedXml class where uncontrolled resource consumption can give an attacker to the ability to perform a Denial of Service attack.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/389

CVSS Details

• Version: 3.1
• Severity: High
• Score: 7.5
• Vector: 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H E:U/RL:O/RC:C
• Weakness: CWE-400 CWE-611: Uncontrolled Resource Consumption Improper Restriction of XML External Entity Reference

Affected Platforms

• Platforms: All
• Architectures: All

<a name="affected-packages"></a>Affected Packages

The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below

<a name=".NET 10"></a>.NET 10

Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.xml | >=10.0.0, <=10.0.5; | 10.0.6

<a name=".NET 9"></a>.NET 9

Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.xml | >=9.0.0, <=9.0.14; | 9.0.15

<a name=".NET 8"></a>.NET 8

Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- System.Security.Cryptography.xml | >=8.0.0, <=8.0.2; | 8.0.3

Advisory FAQ

<a name="how-affected"></a>How do I know if I am affected?

If...