Notable Changes

.NET 6.0.21 release carries security fixes.

CVE-2023-35390 - .NET Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists when some dotnet commands are used in directories with weaker permissions which can result in remote code execution.

CVE-2023-38180 - .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1, .NET 6.0, and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in denial of service.

CVE-2023-35391 - .NET Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET core 2.1, .NET 6.0 and, .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in ASP.NET Core 2.1, .NET 6.0 and, .NET 7.0 applications using SignalR when redis backplane use might result in information disclosure.