{
  "threat_severity" : "Moderate",
  "public_date" : "2023-08-08T00:00:00Z",
  "bugzilla" : {
    "description" : "dotnet: Redis backplane in SignalR listen disclosure information to unexpected group or user",
    "id" : "2228618",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2228618"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-200",
  "details" : [ "ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability", "A vulnerability was found in dotnet. This issue exists in .NET 6.0 and .NET 7.0 when using the redis backplane in SignalIR, which may result in information disclosure." ],
  "statement" : "This CVE only affects .NET configurations on Windows OS. Red Hat software are not impacted.",
  "package_state" : [ {
    "product_name" : ".NET 6.0 on Red Hat Enterprise Linux",
    "fix_state" : "Not affected",
    "package_name" : "rh-dotnet60",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:6.0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-35391\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35391\nhttps://devblogs.microsoft.com/dotnet/august-2023-updates/" ],
  "name" : "CVE-2023-35391",
  "csaw" : false
}