{
  "threat_severity" : "Important",
  "public_date" : "2024-10-08T00:00:00Z",
  "bugzilla" : {
    "description" : "dotnet: Multiple .NET components susceptible to hash flooding",
    "id" : "2315730",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2315730"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-407",
  "details" : [ ".NET, .NET Framework, and Visual Studio Denial of Service Vulnerability", "A flaw was found in dotnet. The System.Security.Cryptography.Cose, System.IO.Packaging and System.Runtime.Caching components may be exposed to hostile input, making them susceptible to hash flooding attacks, resulting in denial of service." ],
  "statement" : ".NET 6.0 (dotnet6.0) was released for RHEL 8 starting with RHEL 8.5. Therefore, this .NET version is not affected in RHEL 8.4 and previous versions.\n.NET 8.0 (dotnet8.0) was released for RHEL 8 starting with RHEL 8.9. Therefore, this .NET version is not affected in RHEL 8.8 and previous versions.\n.NET 8.0 (dotnet8.0) was released for RHEL 9 starting with RHEL 9.3. Therefore, this .NET version is not affected in RHEL 9.2 and previous versions.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-10-09T00:00:00Z",
    "advisory" : "RHSA-2024:7851",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet6.0-0:6.0.135-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-10-09T00:00:00Z",
    "advisory" : "RHSA-2024:7868",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.110-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8082",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "dotnet6.0-0:6.0.135-1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8082",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "dotnet6.0-0:6.0.135-1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8082",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "dotnet6.0-0:6.0.135-1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8036",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "dotnet6.0-0:6.0.135-1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-09T00:00:00Z",
    "advisory" : "RHSA-2024:7867",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet6.0-0:6.0.135-1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-09T00:00:00Z",
    "advisory" : "RHSA-2024:7869",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.110-1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8048",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "dotnet6.0-0:6.0.135-1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8047",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "dotnet6.0-0:6.0.135-1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "dotnet9.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet9.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-43483\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43483\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483" ],
  "name" : "CVE-2024-43483",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}