Affected .net versions by CVE-2024-0057

Matěj Prášek 20 Reputation points
2024-02-23T10:58:23.21+00:00

Hello, I am concerned about CVE-2024-0057 and would like to know if .NET Core is affected. I have checked the security advisory here and can see that all supported versions of .NET (.NET 6 through .NET 8) are impacted. However, I am specifically interested in older, non-supported versions. Since our release and deployment process makes it difficult to update already deployed systems to the latest .NET version, I want to know if .NET Core is affected too given that it is the predecessor to .NET 5 and later. Or is the vulnerability only introduced in .NET 5/.NET 6? Thank you.

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,324 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,165 questions
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,115 questions
{count} votes

Accepted answer
  1. Michael Taylor 47,461 Reputation points
    2024-02-23T16:19:34.8266667+00:00

    Without knowing what the actual vulnerable code is it is hard to say. However looking at the link it says that System.Security.Cryptography.X509Certificates.dll <= 6.0.125 are impacted. That would lead me to believe that this impacts all versions prior to v6 as well, so yes you are vulnerable.

    However System.Security.Cryptography.dll is only for v7 to v8 so .NET Core would be fine. If it weren't fine then you'd expect to see v6 of the binary impacted by the vulnerability as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful