CVE-2024-38167
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Published: Aug 13, 2024 / Updated: 3mo ago
010
CVSS 6.5EPSS 0.09%Medium
CVE info copied to clipboard
Summary
A vulnerability exists in .NET runtime TlsStream which may result in Information Disclosure. This issue affects .NET 8.0 and Visual Studio 2022.
Impact
This vulnerability could lead to the exposure of sensitive information to unauthorized actors. The attack vector is network-based and requires user interaction. The confidentiality impact is rated as HIGH, while integrity and availability impacts are NONE. This suggests that an attacker could potentially access sensitive data but cannot modify or disrupt system operations.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. Microsoft has released updates to address this vulnerability.
Mitigation
1. Update .NET to version 8.0.8 or later. 2. Update Visual Studio 2022 to the following versions based on your current version: - Version 17.10.6 or later if you're using 17.10.x - Version 17.8.13 or later if you're using 17.8.x - Version 17.6.18 or later if you're using 17.6.x 3. If immediate patching is not possible, limit network exposure for all affected systems and ensure that user interactions are necessary for exploitation. 4. Monitor for any suspicious network activities that might indicate attempts to exploit this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Timeline
Vendor Advisory
RedHat CVE advisory released a security advisory (CVE-2024-38167).
Aug 13, 2024 at 4:50 PM
CVSS
A CVSS base score of 6.5 has been assigned.
Aug 13, 2024 at 4:50 PM / redhat-cve-advisories
First Article
Feedly found the first article mentioning CVE-2024-38167. See article
Aug 13, 2024 at 4:54 PM / Red Hat CVE Database
CVSS Estimate
Feedly estimated the CVSS score as MEDIUM
Aug 13, 2024 at 4:54 PM
CVE Assignment
NVD published the first details for CVE-2024-38167
Aug 13, 2024 at 6:15 PM
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Nessus (206237)
Aug 27, 2024 at 11:15 PM
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Qualys (286082)
Aug 28, 2024 at 5:17 AM
CVSS
A CVSS base score of 6.5 has been assigned.
Sep 27, 2024 at 11:50 PM / microsoft
Affected Systems
Microsoft/visual_studio_2022
+null more
Patches
Microsoft
+null more
Links to Mitre Att&cks
T1562.003: Impair Command History Logging
+null more
Attack Patterns
CAPEC-116: Excavation
+null more
References
.NET and Visual Studio Information Disclosure Vulnerability
According to the CVSS metric, user interaction is required (UI:R). What type of information could be disclosed by this vulnerability?
Microsoft August 2024 Security Updates
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
.NET and .NET Framework August 2024 updates
Note: There are no new security updates for .NET Framework this month. To help streamline and help you keep up to date with the latest service releases we have decided to combine our update posts around both .NET & .NET Framework so you can find all the information in one convenient location on the blog.
See 1 more references
News
CVE-2024-38167 .NET and Visual Studio Information Disclosure Vulnerability
.NET and Visual Studio Information Disclosure Vulnerability
According to the CVSS metric, user interaction is required (UI:R). What type of information could be disclosed by this vulnerability?
Third-Party Software Update Catalog Release History – August 2024
Third-Party Software Update Catalog Release History – August 2024 In August 2024, our third-party software update catalog for Microsoft SCCM contained 1039 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for August 2024. 1039 Total Updates 179 Security Updates 131 of the 179 security updates include CVE-IDs 110 New Products New Products: AbaClient 3.2.996.0 (MSI-x86) ACE Service Installer 3.6.16.0 (MSI-x86) All-in-One Messenger 2.5.0.0 (User-x64) Anywhere365 Integrator 1.0.0.1 (MSI-x86) Appeee 1.83.0.0 (User-x64) ApSIC Xbench 3.0.0.1593 (EXE-x64) Autodesk AutoCAD 2025 25.0.116.0 (EXE-x64) Autodesk AutoCAD Architecture 2024 8.6.62.0 (EXE-x64) Autodesk AutoCAD Electrical 2022 19.0.81.0 (EXE-x64) Autodesk AutoCAD Electrical 2023 20.0.73.0 (EXE-x64) Autodesk AutoCAD Electrical 2024 21.0.73.0 (EXE-x64) Autodesk AutoCAD Electrical 2025 22.0.71.0 (EXE-x64) Autodesk AutoCAD LT 2025 25.0.116.0 (EXE-x64) Autodesk Civil 3D 2025 13.7.161.0 (EXE-x64) Autodesk Single Sign On Component 13.8.6.1806 (MSI-x64) Axure RP 10.0.0.3924 (EXE-x86) Azure Connected Machine Agent 1.45.02769.1796 (MSI-x64) BelfiusConnector 3.7.15.0 (MSI-x64) BelfiusConnector 3.7.15.0 (MSI-x86) Bitwarden 2024.7.1.0 (User-x64) BlackBull Markets cBroker Live 9.1.2.58572 (User-x64) BlueBird Connector 3.0.0.0 (MSI-x64) Bria 67.12.4830.0 (MSI-x86) Bria Enterprise 64.10.7302.0 (MSI-x86) Brinno Connect 1.1.9810.0 (EXE-x86) Brother iPrint and Scan 12.0.2.3 (EXE-x86) BrowserStackLocal 3.6.4.0 (MSI-x86) Bytello Share 5.8.0.3788 (EXE-x86) CalDavSynchronizer 4.4.1.0 (MSI-x86) Caption.Ed 2.6.3.0 (User-x64) ClickShare Extension Pack 1.2.0.6 (MSI-x86) Clockify 1.7.92.0 (MSI-x64) Coligo DESKTOP 1.34.10.0 (MSI-x64) Coligo DESKTOP 1.34.10.0 (User-x64) Contour Pointing Devices 3.1.0.0 (MSI-x64) Contour Shuttle 2.13.5.0 (MSI) CSViewer 2.4.0.0 (User-x64) Dalux 3.0.9000.25264 (MSI-x64) Dell Power Manager Service 3.15.0.0 Digiexam 15.0.20.0 (User-x64) DNSFilter Agent 1.13.2.0 (MSI-x64) Docusign Edit 2.7.0.0 (EXE-x64) Docusign Edit 2.7.0.0 (User-x64) DuctZone 1.4.9.0 (EXE-x86) EasyMorph Desktop 5.8.0.6 (User-x64) EasyMorph Server 5.8.0.6 (EXE-x64) FBX Game Recorder 3.20.0.2301 (EXE) Ferdium 6.7.6.0 (EXE-x64) Ferdium 6.7.6.0 (User-x64) Filius 2.6.1.0 (EXE-x64) Fing Desktop 3.7.0.0 (EXE-x64) Franz 5.10.0.0 (User-x64) Fundels 3.2.6.0 (EXE-x86) Google Web Designer 14.0.1.0 (EXE-x64) Google Web Designer 14.0.1.0 (EXE-x86) Hash Tool 1.2.1.0 (EXE-x86) IAP Desktop 2.42.1564.0 (MSI-x64) IAP Desktop 2.42.1564.0 (MSI-x86) Inno Setup 6.3.3.0 (EXE-x86) Inno Setup 6.3.3.0 (User-x86) IVPN Client 3.14.16.0 (EXE-x64) JamLogic 3.139.0.0 (User-x64) JPEGView 1.3.46.0 (MSI-x64) JPEGView 1.3.46.0 (MSI-x86) KNIME Analytics Platform 5.3.0.0 (EXE-x64) KNIME Analytics Platform 5.3.0.0 (User-x64) Kofax Power PDF 5.1 Advanced 5.1.0.3 Macabacus 9.7.1.0 (MSI-x86) ManicTime 24.2.0.6 (MSI-x64) ManicTime 24.2.0.6 (MSI-x86) MirrorOp 2.5.4.70 (MSI-x86) NETworkManager 24.6.15.0 (MSI-x64) NXLog Community Edition 3.2.2329.0 (MSI) OpenBoard 1.7.1.240 (EXE) pCon.planner ME 8.10.0.104 (EXE-x64) pCon.planner PRO 8.10.0.104 (EXE-x64) pCon.planner STD 8.10.0.104 (EXE-x64) PDF Studio 2024 2024.0.1.0 (EXE-x64) PDF Studio 2024 2024.0.1.0 (EXE-x86) PDF Studio Latest 2024.0.1.0 (EXE-x64) PDF Studio Latest 2024.0.1.0 (EXE-x86) PDF Studio Viewer 2024.0.1.0 (EXE-x64) PDF Studio Viewer 2024.0.1.0 (EXE-x86) PDF Studio Viewer Latest 2024.0.1.0 (EXE-x64) PDF Studio Viewer Latest 2024.0.1.0 (EXE-x86) Profit Communication Center 2.9.1400.103 (EXE) QAWeb Enterprise Agent 2.15.0.0 (EXE-x64) QTextPad 1.11.0.0 (EXE-x64) RenderDoc 1.34.0.0 (MSI-x64) RenderDoc 1.34.0.0 (MSI-x86) Splunk ACS CLI 2.14.0.0 (EXE-x64) Splunk Universal Forwarder 9.3 9.3.0.0 (MSI-x64) Splunk Universal Forwarder 9.3 9.3.0.0 (MSI-x86) Sweet Home 3D 7.5.0 (EXE-x64) Tableau Reader Latest 24.2.801.0 (EXE-x64) TalkType 3.1.0 (User-x64) Todoist 9.7.2.0 (User-x64) TurboVNC 3.1.2.0 (EXE-x64) TurboVNC 3.1.2.0 (EXE-x86) Vagrant 2.4.1 (MSI-x64) Vagrant 2.4.1 (MSI-x86) Vagrant VMware Utility 1.0.22.0 (MSI-x64) Visual Paradigm Project Viewer 17.2.0.0 (EXE-x64) Windows Subsystem for Linux 2.2.4.0 (MSI-x64) Write 3.0.1489.0 (MSI-x64) Zotero 7.0.1.0 (EXE-x64) Zscaler Client Connector 4.5 v4.5.0.286 (MSI-x64) Zscaler Client Connector 4.5 v4.5.0.286 (MSI-x86) Zulu JRE 21.36.17.0 (MSI-x64) Zulu JRE Latest 21.36.17.0 (MSI-x64) Updates Added: (Oldest to Newest) 8×8 Work 8.15.2.7 (MSI-x64) Release Notes for 8×8 Work 8.15.2.7 (MSI-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/61 VirusTotal Latest Scan Results (MSI-x64) AWS Command Line Interface v2 2.17.21.0 (x64) Release Notes for AWS Command Line Interface v2 2.17.21.0 (x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/52
Security: Preisgabe von Informationen in dotnet8.0 (Fedora)
cross platform applications that work on Linux, macOS and Windows. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
Fedora 40: dotnet8.0 2024-f4eb809b49 Security Advisory Updates
Summary : .NET Runtime and SDK This is the August 2024 monthly update for .NET 8.
See 57 more articles and social media posts