Login Sign Up

CVE-2024-38095

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in .NET and Visual Studio allows attackers to cause a denial of service by sending specially crafted requests to affected systems. It affects applications built with vulnerable .NET versions and developers using affected Visual Studio versions. The vulnerability stems from improper input validation (CWE-20).

💻 Affected Systems

Products:
  • .NET
  • Visual Studio
Versions: Specific versions as detailed in Microsoft advisory (check patch version for exact ranges)
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Applications built with vulnerable .NET SDKs or runtimes are affected regardless of hosting platform.

📦 What is this software?

.net by Microsoft

View all CVEs affecting .net →

Visual Studio 2022 by Microsoft

View all CVEs affecting Visual Studio 2022 →

Visual Studio 2022 by Microsoft

View all CVEs affecting Visual Studio 2022 →

Visual Studio 2022 by Microsoft

View all CVEs affecting Visual Studio 2022 →

Visual Studio 2022 by Microsoft

View all CVEs affecting Visual Studio 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for applications using vulnerable .NET components, potentially affecting multiple dependent services.

🟠

Likely Case

Application crashes or hangs requiring restart, leading to temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH - Internet-facing applications using vulnerable .NET components can be directly targeted.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require attacker access to internal network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' based on their assessment framework.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific .NET and Visual Studio versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38095

Restart Required: Yes

Instructions:

1. Apply latest security updates for .NET runtime/SDK and Visual Studio. 2. Restart affected services. 3. Rebuild and redeploy applications with updated dependencies.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation and size limits on all user inputs

Rate Limiting

all

Implement rate limiting on application endpoints to reduce DoS impact

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) with DoS protection rules
  • Isolate vulnerable applications behind reverse proxies with request filtering

🔍 How to Verify

Check if Vulnerable:

Check .NET version with 'dotnet --info' and compare against patched versions in Microsoft advisory

Check Version:

dotnet --info (for .NET) or check Visual Studio About dialog

Verify Fix Applied:

Verify installed .NET/Visual Studio versions match or exceed patched versions listed in Microsoft advisory

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • High CPU/memory usage spikes
  • Request timeouts

Network Indicators:

  • Unusual request patterns to .NET endpoints
  • High volume of malformed requests

SIEM Query:

source="application_logs" AND ("crash" OR "hang" OR "timeout") AND process="dotnet"

📊 Metadata

CVE ID: CVE-2024-38095
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20
Published: July 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38095, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)