Update cve.md for all .NET Releases (#9086)

* Update cve.md for all .NET Releases * Create cve.md * Create cve.md * Update release-notes/6.0/cve.md Co-authored-by: Rich Lander <[email protected]> --------- Co-authored-by: Rich Lander <[email protected]>
dotnet · Jan 25, 2024 · 6ba9d70 · 6ba9d70
1 parent 10a9783
commit 6ba9d70
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 31 deletions.
diff --git a/release-notes/6.0/cve.md b/release-notes/6.0/cve.md
@@ -1,18 +1,18 @@
 # .NET 6 CVEs
 
-The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.
+The .NET Team releases [monthly updates for .NET 6](https://github.com/dotnet/announcements/labels/.NET%206.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes.
 
 Your app needs to be on the latest .NET 6 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.
 
 ## Which CVEs apply to my app?
 
-Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.
+Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using an older .NET 6 patch version.
+
 - 6.0.26 (January 2024)
+  - [CVE-2024-0056](https://github.com/dotnet/announcements/issues/292) | .NET Information Disclosure Vulnerability
+  - [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
   - [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
-  - [CVE-2024-0057 | .NET Security Feature bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
-  - [CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
 - 6.0.25 (November 2023)
-  - [CVE-2023-36038 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/286)
   - [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
   - [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
 - 6.0.24 (October 2023)
@@ -33,9 +33,10 @@ Your app may be vulnerable to the following published security [CVEs](https://ww
 - 6.0.21 (August 2023)
   - [CVE-2023-35390 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/266)
   - [CVE-2023-38180 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/269)
-  - [CVE-2023-38178 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/268)
   - [CVE-2023-35391 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/267)
 - 6.0.20 (July 2023)
+  - No new CVEs.
+- 6.0.19 (June 2023)
   - [CVE-2023-24895 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/261)
   - [CVE-2023-24897 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/260)
   - [CVE-2023-24936 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/259)
@@ -45,50 +46,46 @@ Your app may be vulnerable to the following published security [CVEs](https://ww
   - [CVE-2023-33126 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/254)
   - [CVE-2023-33128 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/253)
   - [CVE-2023-33135 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/252)
-- 6.0.19 (June 2023)
-  - No additional CVEs.
 - 6.0.18 (June 2023)
-  - No additional CVEs.
+  - No new CVEs.
 - 6.0.17 (May 2023)
-  - No additional CVEs.
+  - No new CVEs.
 - 6.0.16 (April 2023)
-  - No additional CVEs.
+  - [CVE-2023-28260 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/250)
 - 6.0.15 (March 2023)
-  - No additional CVEs.
+  - No new CVEs.
 - 6.0.14 (February 2023)
   - [CVE-2023-21808 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/247)
 - 6.0.13 (January 2023)
-  - [CVE 2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244)
+  - [CVE-2023-21538 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/244)
 - 6.0.12 (December 2022)
-  - [CVE 2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
+  - [CVE-2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
 - 6.0.11 (November 2022)
-  - No additional CVEs.
+  - No new CVEs.
 - 6.0.10 (October 2022)
-  - No additional CVEs.
+  - [CVE-2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236)
 - 6.0.9 (September 2022)
-  - [CVE 2022-41032 | .NET Core Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/236)
+  - [CVE-2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234) 
 - 6.0.8 (August 2022)
-  - [CVE 2022-38013 | .NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/234)
+  - [CVE-2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232)
 - 6.0.7 (July 2022)
-  - [CVE 2022-34716 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/232)
+  - No new CVEs.
 - 6.0.6 (June 2022)
-  - No additional CVEs.
+  - [CVE-2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225)
 - 6.0.5 (May 2022)
-  - [CVE 2022-30184 | .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/225)
+  - [CVE-2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222)
+  - [CVE-2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221)
+  - [CVE-2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220)
 - 6.0.4 (April 2022)
-  - [CVE 2022-29145 | ASP.NET Core Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/222)
-  - [CVE 2022-23267 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/221)
-  - [CVE 2022-29117 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/220)
+  - No new CVEs.
 - 6.0.3 (March 2022)
-  - No additional CVEs.
-- 6.0.2 (February 2022)
   - [CVE-2022-24512 | .NET Remote Code Execution](https://github.com/dotnet/announcements/issues/213)
   - [CVE-2022-24464 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/212)
-- 6.0.1 (December 2021
+- 6.0.2 (February 2022)
   - [CVE-2022-21986 | ASP.NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/207)
-- 6.0.0 (November 2021)
+- 6.0.1 (December 2021)
   - [CVE-2021-43877 | ASP.NET Core Elevation of privilege Vulnerability](https://github.com/dotnet/announcements/issues/206)
+- 6.0.0 (November 2021)
+  - No new CVEs.
 
-The CVEs are displayed one month offset from when they were released. For example, the CVE listed with `6.0.0` was disclosed and a fix was published with `6.0.1`. `6.0.1` is not vulnerable to that CVE while `6.0.0` is. As a result, the CVE is listed with `6.0.0`, where it still applies. The same model is used for the other releases.
-
-The CVE exposure is cumulative. For example, `6.0.0` users may be vulnerable to the CVEs present in `6.0.0` and newer releases. Similarly, `6.0.3` users may be vulnerable to the CVEs present in `6.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.
+CVE exposure is cumulative. For example, apps running on the `6.0.0` release may be vulnerable to the CVEs present in `6.0.1` and newer releases. The latest release is not vulnerable to any published CVEs.
diff --git a/release-notes/7.0/cve.md b/release-notes/7.0/cve.md
@@ -0,0 +1,70 @@
+# .NET 7 CVEs
+
+The .NET Team releases [monthly updates for .NET 7](https://github.com/dotnet/announcements/labels/.NET%207.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.
+
+Your app needs to be on the latest .NET 7 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.
+
+## Which CVEs apply to my app?
+
+Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.
+
+- 7.0.15 (January 2024)
+  - [CVE-2024-0056 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
+  - [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
+  - [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
+- 7.0.14 (November 2023)
+  - [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
+  - [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
+- 7.0.13 (October 2023)
+  - [CVE-2023-36435 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/281)
+  - [CVE-2023-38171 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/280)
+  - [CVE-2023-44487 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/282)
+  - [CVE-2023-36799 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/275)
+  - [CVE-2023-36796 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/274)
+  - [CVE-2023-36793 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/273)
+  - [CVE-2023-36794 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/272)
+  - [CVE-2023-36792 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/271)
+- 7.0.12 (October 2023)
+  - [CVE-2023-36435 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/281)
+  - [CVE-2023-38171 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/280)
+  - [CVE-2023-44487 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/277)
+- 7.0.11 (September 2023)
+  - [CVE-2023-36799 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/275)
+  - [CVE-2023-36796 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/274)
+  - [CVE-2023-36793 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/273)
+  - [CVE-2023-36794 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/272)
+  - [CVE-2023-36792 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/271)
+- 7.0.10 (August 2023)
+  - [CVE-2023-35390 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/266)
+  - [CVE-2023-35391 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/267)
+  - [CVE-2023-38178 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/268)
+  - [CVE-2023-38180 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/269)
+- 7.0.9 (July 2023)
+  - [CVE-2023-33127 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/263)
+  - [CVE-2023-33170 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/264)
+- 7.0.8 (June 2023)
+  - No new CVEs.
+- 7.0.7 (June 2023)
+  - [CVE-2023-24895 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/261)
+  - [CVE-2023-24897 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/260)
+  - [CVE-2023-24936 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/259)
+  - [CVE-2023-29331 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/257)
+  - [CVE-2023-29337 | Nuget Client Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/256)
+  - [CVE-2023-32032 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/255)
+  - [CVE-2023-33126 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/254)
+  - [CVE-2023-33128 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/253)
+  - [CVE-2023-33135 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/252)
+- 7.0.5 (April 2023)
+  - [CVE-2023-28260 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/250)
+- 7.0.4 (March 2023)
+  - No new CVEs.
+- 7.0.3 (February 2023)
+  - [CVE-2023-21808 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/247)
+- 7.0.2 (January 2023)
+  - No new CVEs.
+- 7.0.1 (December 2022)
+  - [CVE-2022-41089 | .NET Remote Code Execution Vulnerability](https://github.com/dotnet/announcements/issues/242)
+- 7.0.0 (November 2022)
+  - No new CVEs.
+
+The CVE exposure is cumulative. For example, `7.0.0` users may be vulnerable to the CVEs present in `7.0.0` and newer releases. Similarly, `7.0.3` users may be vulnerable to the CVEs present in `7.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.
diff --git a/release-notes/8.0/cve.md b/release-notes/8.0/cve.md
@@ -0,0 +1,19 @@
+# .NET 8 CVEs
+
+The .NET Team releases [monthly updates for .NET 8](https://github.com/dotnet/announcements/labels/.NET%208.0) on [Patch Tuesday](https://en.wikipedia.org/wiki/Patch_Tuesday). These updates often include security fixes. If you are on an older version, your app may be vulnerable.
+
+Your app needs to be on the latest .NET 8 patch version to be secure. The longer you wait to upgrade, the greater the exposure to CVEs.
+
+## Which CVEs apply to my app?
+
+Your app may be vulnerable to the following published security [CVEs](https://www.cve.org/) if you are using the given version or older.
+- 8.0.1 (January 2024)
+  - [CVE-2024-0056 | .NET Information Disclosure Vulnerability](https://github.com/dotnet/announcements/issues/292)
+  - [CVE-2024-0057 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/291)
+  - [CVE-2024-21319 | .NET Denial of Service Vulnerability](https://github.com/dotnet/announcements/issues/290)
+- 8.0.0 (November 2023)
+  - [CVE-2023-36049 | .NET Elevation of Privilege Vulnerability](https://github.com/dotnet/announcements/issues/287)
+  - [CVE-2023-36558 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/288)
+  - [CVE-2023-36038 | .NET Security Feature Bypass Vulnerability](https://github.com/dotnet/announcements/issues/286)
+
+The CVE exposure is cumulative. For example, `8.0.0` users may be vulnerable to the CVEs present in `8.0.0` and newer releases. Similarly, `8.0.3` users may be vulnerable to the CVEs present in `8.0.4` and newer releases. The latest release is not vulnerable to any published CVEs.