CVE-2018-8409

CWE-400 — Uncontrolled Resource Consumption7 documents7 sources

Severity

7.5HIGH

EPSS

14.3%

top 5.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft .net Core Microsoft Asp.net Core Microsoft System.io.pipelines

Timeline

PublishedSep 13

Latest updateOct 16

Description

A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶NuGetSystem.IO.Pipelines4.5.0 — 4.5.1

▶CVEListV5microsoft/system.io.pipelinesSystem.IO.Pipelines

▶NVDmicrosoft/system.io.pipelines4.5.0

▶NVDmicrosoft/.net_core2.1 — 2.1.4

▶NVDmicrosoft/asp.net_core2.1 — 2.1.4

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

Denial of service vulnerability exists when System.IO.Pipelines improperly handles requests↗2018-10-16

▶

OSV

Denial of service vulnerability exists when System.IO.Pipelines improperly handles requests↗2018-10-16

▶

CVEList

CVE-2018-8409: A denial of service vulnerability exists when System↗2018-09-13

▶

📋Vendor Advisories

Microsoft

System.IO.Pipelines Denial of Service↗2018-09-11

▶

Red Hat

NET: Resource loop in ReadAsync when it is being cancelled while producer allocates memory using GetMemory↗2018-09-11

▶

💬Community

Bugzilla

CVE-2018-8409 .NET: Resource loop in ReadAsync when it is being cancelled while producer allocates memory using GetMemory↗2018-09-06

▶