VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-39yq-wjun-1khz

Essentials
Severities (45)
References (18)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-39yq-wjun-1khz
Aliases	CVE-2022-34716 GHSA-vh55-786g-wjwj GMS-2024-75 GMS-2024-76 GMS-2024-77 GMS-2024-78 GMS-2024-79 GMS-2024-80 GMS-2024-81 GMS-2024-82 GMS-2024-83 GMS-2024-84 GMS-2024-85 GMS-2024-86 GMS-2024-90
Summary	.NET Information Disclosure Vulnerability Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.7 or earlier. * Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name=".NET Core 3.1"></a>.NET Core 3.1 Package name \| Affected version \| Patched version ------------ \| ---------------- \| ------------------------- [System.Security.Cryptography.Xml](http://system.security)\| <=4.7.0\| 4.7.1 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)\| >=3.1.0, 3.1.27\| 3.1.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)\| >=3.1.0, 3.1.27\| 3.1.28 ### <a name=".NET 6"></a>.NET 6 Package name \| Affected version \| Patched version ------------ \| ---------------- \| ------------------------- [System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml)\| >=5.0.0, 6.0.0\| 6.0.1 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)\| >=6.0.0, 6.0.7\| 6.0.8 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)\| >=6.0.0, 6.0.7\| 6.0.8 ## Patches * If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1. ### Other Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/232 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43166 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-611	Improper Restriction of XML External Entity Reference

System	Score	Found at
cvssv3	5.9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34716.json
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0075	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.0083	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
epss	0.00963	https://api.first.org/data/v1/epss?cve=CVE-2022-34716
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-vh55-786g-wjwj
cvssv3.1	5.9	https://github.com/dotnet/announcements/issues/232
generic_textual	MODERATE	https://github.com/dotnet/announcements/issues/232
cvssv3.1	5.9	https://github.com/dotnet/aspnetcore/issues/43166
generic_textual	MODERATE	https://github.com/dotnet/aspnetcore/issues/43166
cvssv3.1	5.9	https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj
cvssv3.1_qr	MODERATE	https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj
generic_textual	MODERATE	https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj
cvssv3.1	5.9	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
cvssv3.1	5.9	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
generic_textual	MODERATE	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
ssvc	Track	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2022-34716
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2022-34716
cvssv3.1	5.9	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716
generic_textual	MODERATE	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34716.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-34716
		https://github.com/dotnet/announcements/issues/232
		https://github.com/dotnet/aspnetcore/issues/43166
		https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj
		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716
		https://nvd.nist.gov/vuln/detail/CVE-2022-34716
		https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716
2115183		https://bugzilla.redhat.com/show_bug.cgi?id=2115183
cpe:2.3:a:microsoft:.net::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:.net::::::::
cpe:2.3:a:microsoft:.net_core::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:.net_core::::::::
cpe:2.3:a:microsoft:powershell::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:powershell::::::::
GHSA-vh55-786g-wjwj		https://github.com/advisories/GHSA-vh55-786g-wjwj
RHSA-2022:6037		https://access.redhat.com/errata/RHSA-2022:6037
RHSA-2022:6038		https://access.redhat.com/errata/RHSA-2022:6038
RHSA-2022:6043		https://access.redhat.com/errata/RHSA-2022:6043
RHSA-2022:6057		https://access.redhat.com/errata/RHSA-2022:6057
RHSA-2022:6058		https://access.redhat.com/errata/RHSA-2022:6058

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34716.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/dotnet/announcements/issues/232

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/dotnet/aspnetcore/issues/43166

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T20:04:18Z/ Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-34716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.72194
EPSS Score	0.0075
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:32:25.816271+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vh55-786g-wjwj/GHSA-vh55-786g-wjwj.json	37.0.0