CVE-2024-43499
Unchecked Input for Loop Condition (CWE-606)
Summary
The NrbfDecoder component in .NET 9 contains a denial of service vulnerability due to incorrect input validation. This vulnerability affects the .NET 9.0 framework.
Impact
This vulnerability could allow an attacker to cause a denial of service condition in applications using the affected .NET 9.0 framework. The attack vector is network-based, requiring no user interaction and no privileges. The vulnerability has a high impact on system availability, potentially causing disruption to services or applications built on .NET 9.0. The CVSS base score for this vulnerability is 7.5, indicating a high severity level.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available for this vulnerability. Microsoft has released updates to address this issue, and patches can be obtained from the Microsoft Update Guide. The patch was made available on November 12, 2024.
Mitigation
1. Update to the latest patched version of .NET 9.0 as soon as possible. 2. Monitor and limit network access to systems running .NET 9.0 applications until the patch can be applied. 3. Implement network segmentation to minimize the potential impact of a successful attack. 4. Review and validate input handling in applications using the NrbfDecoder component. 5. Keep systems and applications up-to-date with the latest security patches from Microsoft.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Timeline
A CVSS base score of 7.5 has been assigned.
Feedly found the first article mentioning CVE-2024-43499. See article
Feedly estimated the CVSS score as MEDIUM
NVD published the first details for CVE-2024-43499
Detection for the vulnerability has been added to Nessus (210867)
RedHat CVE advisory released a security advisory (CVE-2024-43499).
A CVSS base score of 7.5 has been assigned.