DoS Vulnerability in .NET Runtime for Visual Studio
CVE-2024-43499 Published on November 12, 2024
.NET and Visual Studio Denial of Service Vulnerability
.NET and Visual Studio Denial of Service Vulnerability
Vulnerability Analysis
CVE-2024-43499 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is a Data Amplification Vulnerability?
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
CVE-2024-43499 has been classified to as a Data Amplification vulnerability or weakness.
Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Products Associated with CVE-2024-43499
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Microsoft Visual Studio 2022. Just hit a watch button to start following.
Affected Versions
Microsoft Visual Studio 2022 version 17.6:- Version 17.6.0 and below 17.6.21 is affected.
- Version 17.10 and below 17.10.9 is affected.
- Version 17.8.0 and below 17.8.16 is affected.
- Version 17.11 and below 17.11.6 is affected.
- Version 7.5.0 and below 7.5.0 is affected.
- Version 9.0.0 and below 9.0.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-43499
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| nuget | System.Formats.Nrbf | < 9.0.0 | 9.0.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.