CVE-2024-38229

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 8.1EPSS 0.09%High
CVE info copied to clipboard

Summary

A vulnerability exists in ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free. This is a Concurrent Execution using Shared Resource with Improper Synchronization, also known as a Race Condition. It affects .NET 8.0 and .NET 9.0. The vulnerability can be exploited over the network without requiring user interaction or privileges. It has a high severity with a CVSS v3.1 base score of 8.1.

Impact

If exploited, this vulnerability could lead to high impacts on confidentiality, integrity, and availability of the affected system. Attackers could potentially leverage time-of-check and time-of-use (TOCTOU) race conditions to gain unauthorized access, modify data, or cause system disruptions. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity. It can be exploited over the network without requiring user interaction or privileges, which increases its potential impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The patch was added on October 8, 2024, and can be found in the Red Hat Bugzilla system under bug ID 2316161. Microsoft has also released updates to address this issue. For .NET 6.0 users utilizing HTTP/3, an upgrade to .NET 8.0.10 is recommended, as .NET 6.0 will not receive a security patch for this vulnerability.

Mitigation

To mitigate this vulnerability, it is strongly recommended to apply the available patch as soon as possible. Given the high severity score and the potential for remote exploitation without user interaction, this vulnerability should be prioritized for patching. Additionally, implement proper synchronization mechanisms for shared resources and review code for potential race conditions. If you are using .NET 6.0 with HTTP/3, upgrade to .NET 8.0.10 immediately.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 8, 2024 at 5:23 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-38229).

Oct 8, 2024 at 5:30 PM
CVSS

A CVSS base score of 8.1 has been assigned.

Oct 8, 2024 at 5:30 PM / redhat-cve-advisories
First Article

Feedly found the first article mentioning CVE-2024-38229. See article

Oct 8, 2024 at 5:33 PM / Red Hat CVE Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 5:33 PM
CVE Assignment

NVD published the first details for CVE-2024-38229

Oct 8, 2024 at 6:15 PM
CVSS

A CVSS base score of 8.1 has been assigned.

Oct 8, 2024 at 6:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208286)

Oct 9, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208306)

Oct 9, 2024 at 5:16 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/.net
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-26: Leveraging Race Conditions
+null more

References

October 2024 Security Updates - Release Notes - Security Update Guide - Microsoft
Role: Windows Hyper-V CVE-2024-20659 7.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C Exploitation Less Likely Yes No No Windows Hyper-V CVE-2024-30092 8.0 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows EFI Partition CVE-2024-37976 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2024-37979 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows EFI Partition CVE-2024-37982 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows EFI Partition CVE-2024-37983 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No OpenSSH for Windows CVE-2024-38029 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Azure Monitor CVE-2024-38097 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Unlikely Yes No No Windows Netlogon CVE-2024-38124 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Windows Kerberos CVE-2024-38129 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No BranchCache CVE-2024-38149 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Azure Stack CVE-2024-38179 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Routing and Remote Access Service (RRAS) CVE-2024-38212 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No .NET and Visual Studio CVE-2024-38229 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-38261 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Desktop Licensing Service CVE-2024-38262 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-38265 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43453 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Desktop Services CVE-2024-43456 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Configuration Manager CVE-2024-43468 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes Yes No Service Fabric CVE-2024-43480 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Power BI CVE-2024-43481 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No .NET, .NET Framework, Visual Studio CVE-2024-43483 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No .NET, .NET Framework, Visual Studio CVE-2024-43484 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No .NET and Visual Studio CVE-2024-43485 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Visual Studio Code CVE-2024-43488 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No DeepSpeed CVE-2024-43497 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Resilient File System (ReFS) CVE-2024-43500 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Common Log File System Driver CVE-2024-43501 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2024-43502 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Microsoft Office SharePoint CVE-2024-43503 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Excel CVE-2024-43504 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Visio CVE-2024-43505 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No BranchCache CVE-2024-43506 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Microsoft Graphics Component CVE-2024-43508 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Graphics Component CVE-2024-43509 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Kernel CVE-2024-43511 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Standards-Based Storage Management Service CVE-2024-43512 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows BitLocker CVE-2024-43513 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows NTFS CVE-2024-43514 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Internet Small Computer Systems Interface (iSCSI) CVE-2024-43515 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Secure Kernel Mode CVE-2024-43516 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft ActiveX CVE-2024-43517 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Telephony Server CVE-2024-43518 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft WDAC OLE DB provider for SQL CVE-2024-43519 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2024-43520 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: Windows Hyper-V CVE-2024-43521 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Local Security Authority (LSA) CVE-2024-43522 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43523 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43524 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43525 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43526 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2024-43527 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Secure Kernel Mode CVE-2024-43528 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Print Spooler Components CVE-2024-43529 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No RPC Endpoint Mapper Service CVE-2024-43532 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Remote Desktop Client CVE-2024-43533 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Microsoft Graphics Component CVE-2024-43534 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel-Mode Drivers CVE-2024-43535 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43536 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43537 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43538 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43540 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Simple Certificate Enrollment Protocol CVE-2024-43541 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Mobile Broadband CVE-2024-43542 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43543 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Simple Certificate Enrollment Protocol CVE-2024-43544 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Online Certificate Status Protocol (OCSP) CVE-2024-43545 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Cryptographic Services CVE-2024-43546 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kerberos CVE-2024-43547 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43549 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Secure Channel CVE-2024-43550 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Storage CVE-2024-43551 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Shell CVE-2024-43552 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows NT OS Kernel CVE-2024-43553 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel-Mode Drivers CVE-2024-43554 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43555 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Graphics Component CVE-2024-43556 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Mobile Broadband CVE-2024-43557 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43558 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Mobile Broadband CVE-2024-43559 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Storage Port Driver CVE-2024-43560 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Mobile Broadband CVE-2024-43561 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Network Address Translation (NAT) CVE-2024-43562 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Ancillary Function Driver for WinSock CVE-2024-43563 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43564 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Network Address Translation (NAT) CVE-2024-43565 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Role: Windows Hyper-V CVE-2024-43567 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Kernel CVE-2024-43570 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Sudo for Windows CVE-2024-43571 5.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Microsoft Management Console CVE-2024-43572 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C Exploitation Detected Yes No No Windows MSHTML Platform CVE-2024-43573 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C Exploitation Detected Yes No No Microsoft Windows Speech CVE-2024-43574 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: Windows Hyper-V CVE-2024-43575 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Microsoft Office CVE-2024-43576 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes OpenSSH for Windows CVE-2024-43581 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Remote Desktop CVE-2024-43582 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Winlogon CVE-2024-43583 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Scripting CVE-2024-43584 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Code Integrity Guard CVE-2024-43585 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Windows Routing and Remote Access Service (RRAS) CVE-2024-43589 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RC:C Exploitation Less Likely No No No Visual C++ Redistributable Installer CVE-2024-43590 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Azure CLI CVE-2024-43591 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43592 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43593 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Remote Desktop Client CVE-2024-43599 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Visual Studio Code CVE-2024-43601 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Visual Studio CVE-2024-43603 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Outlook for Android CVE-2024-43604 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43607 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2024-43608 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office CVE-2024-43609 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation More Likely Yes No Yes Windows Routing and Remote Access Service (RRAS) CVE-2024-43611 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Power BI CVE-2024-43612 6.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Defender for Endpoint CVE-2024-43614 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely No No No OpenSSH for Windows CVE-2024-43615 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Microsoft Office CVE-2024-43616 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No
.NET and Visual Studio Remote Code Execution Vulnerability
Successful exploitation of this vulnerability requires an attacker to win a race condition. According to the CVSS metric, the attack complexity is high (AC:H).
.NET and .NET Framework October 2024 servicing releases updates
To help streamline and help you keep up to date with the latest service releases we have decided to combine our update posts around both .NET & .NET Framework so you can find all the information in one convenient location on the blog. Let's get into the latest release of .NET & .NET Framework, here is a quick overview of what's new in these releases:

News

Third-Party Software Update Catalog Release History – October 2024
Third-Party Software Update Catalog Release History – October 2024 In October 2024, our third-party software update catalog for Microsoft SCCM contained 1457 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for October 2024. 1457 Total Updates 512 Security Updates 439 of the 512 security updates include CVE-IDs 105 New Products New Products: Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x86) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x86) Amazon Athena ODBC Driver 2.0.3.0 (MSI-x64) Apache Tomcat 11.0 (EXE-x64) Autodesk AutoCAD Mechanical 2022 v26.0.76.0 (EXE-x64) Autodesk AutoCAD Mechanical 2023 v27.0.77.0 (EXE-x64) Autodesk AutoCAD Mechanical 2024 v28.0.91.0 (EXE-x64) Autodesk AutoCAD Mechanical 2025 v29.0.73.0 (EXE-x64) AWP Identity Manager 5.3.5.385 (MSI-x64) AWP Identity Manager 5.3.5.385 (MSI-x86) Cherry Keys 1.0.7.0 (MSI-x64) Cherry Keys 1.0.7.0 (MSI-x86) Connective Signing Plugins 2.0.9.0 (MSI-x86) Dell Peripheral Manager 1.7.6.0 (EXE-x64) DigiDoc4 Client 4.6.0.5305 (MSI-x64) Drata Agent 3.6.1.0 (User-x64) eBuddy 12.4.2.32082 (MSI-x86) eID Software 24.10.18.8368 (EXE-x64) Elgato 4K Capture Utility 1.7.13.6046 (MSI-x64) Elgato Camera Hub 1.11.0.4066 (MSI-x64) Elgato Control Center 1.7.1.600 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x86) EUROMOD 3.7.6.0 (EXE-x64) FastCopy 5.8.0.0 (User-x64) GitHub Desktop 3.4.8 (User-x64) Go Integrator Cara 4.5.0.8688 (EXE) Helix Visual Client P4V 242.43.2.0 (EXE-x64) Helix Visual Client P4V 242.43.2.0 (MSI-x64) INI Viewer and Editor 2.11.0.0 (EXE-x64) Input Director 2.3.0.0 (EXE-x64) Iridium Browser 116.0.0.0 (MSI-x64) Iridium Browser 116.0.0.0 (MSI-x86) JetBrains Rider 2022 223.8836.53.0 (EXE-x86) JetBrains Rider 2023 233.15026.35.0 (EXE-x86) JetBrains Rider 2024 242.23726.100.0 (EXE-x86) JetBrains Rider Latest 242.23726.100.0 (EXE-x86) JetBrains Space 2023.1.7.0 (User-x64) ksnip 1.10.1.0 (MSI-x64) LAV Filters 0.79.2.0 (EXE-x86) LocalSend 1.15.4.0 (EXE-x64) LocalSend 1.15.4.0 (User-x64) MailStore Client 24.100.22356.0 (MSI-x86) MailStore Outlook Add-in 24.100.22356.0 (MSI-x86) MaxCut 2.9.3.4 (EXE-x86) MerciApp 2.6.12 (User-x64) Microsoft Visual Studio Tools for Applications 2015 14.0.23829.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2017 15.0.26717.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2019 16.0.31110.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2022 17.0.33529.0 (EXE-x86) Monosnap 5.1.13.0 (User-x64) Mozilla Firefox ESR 128.3.0 (x64 ja) Mozilla Firefox ESR 128.3.0 (x86 ja) Mozilla Thunderbird 128.3.0 (x64 de) Mozilla Thunderbird 128.3.0 (x64 ES-es) Mozilla Thunderbird 128.3.0 (x64 fr) Mozilla Thunderbird 128.3.0 (x64 it) Mozilla Thunderbird 128.3.0 (x86 de) Mozilla Thunderbird 128.3.0 (x86 ES-es) Mozilla Thunderbird 128.3.0 (x86 fr) Mozilla Thunderbird 128.3.0 (x86 it) MTPuTTY 1.8.5.0 (EXE-x86) MTPuTTY 1.8.5.0 (User-x86) NetPad 0.8.0.0 (EXE-x64) NetPad 0.8.0.0 (User-x64) Nuclino 1.6.5.0 (User-x64) Nullsoft Scriptable Install System 3.10.0.0 (EXE-x86) NVivo 15.0.0.12 (EXE-x64) Octoparse 8.7.2.0 (EXE-x64) Oracle VirtualBox 7.1.2 (EXE-x64) Oracle VirtualBox Latest 7.1.2.0 (EXE-x64) Pix4Dmatic 1.63.1.0 (MSI-x64) Power BI ALM Toolkit 5.1.3.0 (MSI-x64) Prowise Presenter 1.0.0.0 (EXE-x64) Prowise Presenter 1.0.0.0 (MSI-x64) Prowise Reflect 1.2.0.0 (EXE-x86) PrusaSlicer 2.8.1.0 (EXE-x64) PVSOL 2024 v2024.4.0.0 (EXE-x86) PVSOL premium 2024 v2024.8.0.0 (EXE-x86) PVsyst 7.4.8.0 (EXE-x64) Python 3.13.150.0 (EXE-x64) Python 3.13.150.0 (EXE-x86) QENC Decrypter 1.2.0.22173 (EXE-x86) QNAP Qfinder Pro 7.11.1.0726 (EXE-x86) QNAP Qsync Client 5.1.6.0906 (EXE-x86) QuDedup Extract Tool 1.1.5.24208 (EXE-x86) Rainbow 2.139.2.0 (MSI-x86) Rainbow 2.139.2.0 (User-x64) Rancher Desktop 1.16.0.0 (MSI-x64) Regression Suite Automation Tool 2.7.16771.39 (MSI) SBC Configuration Wizard 2.31.0.0 (EXE-x86) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x64) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x86) Syslog Viewer 2.25.0.0 (EXE-x64) Tableau Desktop 2024.2 24.2.1060.0 (EXE-x64) Tableau Desktop 2024.3 24.3.425.0 (EXE-x64) Tableau Prep Builder 2024.2 24.2.40000.0 (EXE-x64) Tableau Prep Builder 2024.3 24.3.40066.0 (EXE-x64) Termius 9.8.3.0 (User-x64) Voxbi 2.11.46.0 (MSI-x86) WinDirStat 2.0.3.832 (MSI-x64) WinDirStat 2.0.3.832 (MSI-x86) WinZip 29.0.16250.0 (MSI-x64) Updates Added: (Oldest to Newest) 1Password 8.10.46 (MSI-x64) 1Password 8.10.46 (User) Release Notes for 1Password 8.10.46 Release Type: ⬤ ⬤ Scan Detection Ratio 0/60 VirusTotal Latest Scan Results (MSI-x64) Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (User) Advanced Installer 22.1.0 (MSI-x86) Release Notes for Advanced Installer 22.1.0 (MSI-x86) Release Type: ⬤
Rocky Linux: RLSA-2024:7869 .NET 8.0 security update Security Advisories Updates
Important: .NET 8.0 security update
RockyLinux 8 : .NET 8.0 (RLSA-2024:7868)
The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:7868 advisory. The remote RockyLinux host is missing one or more security updates.
rocky_linux RLSA-2024:7868: RLSA-2024:7868: .NET 8.0 security update (Important)
Development Last Updated: 10/25/2024 CVEs: CVE-2024-43483 , CVE-2024-43484 , CVE-2024-43485 , CVE-2024-38229
Oracle Linux Bulletin - October 2024
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :
See 63 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI