CVE-2023-33141
HIGH7.5EPSS 3.0%YARP Denial of Service Vulnerability
Description
### Impact A denial of service vulnerability exists in YARP. ### Patches If you're using YARP 1.x, you should update to NuGet package version [1.1.2](https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2). If you're using YARP 2.0.0, you should update to NuGet package version [2.0.1](https://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1). You can do so by updating the `PackageReference` in your `.csproj` file ```diff <ItemGroup> - <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" /> - <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" /> + <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" /> + <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" /> </ItemGroup> ``` or by selecting `2.0.1` in the NuGet UI inside Visual Studio (`Manage NuGet Packages` / `Updates`) ### References [CVE-2023-33141](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141)
Affected packages (1)
- NuGet/Yarp.ReverseProxyfrom 0, < 1.1.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-33141
- PATCHhttps://github.com/microsoft/reverse-proxy
- WEBhttps://github.com/microsoft/reverse-proxy/security/advisories/GHSA-jrjw-qgr2-wfcg
- WEBhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141
- WEBhttps://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2
- WEBhttps://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1