Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jrjw-qgr2-wfcg: YARP Denial of Service Vulnerability

Impact

A denial of service vulnerability exists in YARP.

Patches

If you’re using YARP 1.x, you should update to NuGet package version 1.1.2. If you’re using YARP 2.0.0, you should update to NuGet package version 2.0.1.

You can do so by updating the PackageReference in your .csproj file

<ItemGroup>
- <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" />
- <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" />
+ <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" />
+ <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" />
</ItemGroup>

or by selecting 2.0.1 in the NuGet UI inside Visual Studio (Manage NuGet Packages / Updates)

References

CVE-2023-33141

ghsa
#vulnerability#microsoft#dos#git

Package

nuget Yarp.ReverseProxy (NuGet)

Affected versions

<= 1.1.1

= 2.0.0

Patched versions

1.1.2

2.0.1

Description

Impact

A denial of service vulnerability exists in YARP.

Patches

If you’re using YARP 1.x, you should update to NuGet package version 1.1.2.
If you’re using YARP 2.0.0, you should update to NuGet package version 2.0.1.

You can do so by updating the PackageReference in your .csproj file

<ItemGroup> - <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" /> - <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" />

  • <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" />
  • <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" /> </ItemGroup>

or by selecting 2.0.1 in the NuGet UI inside Visual Studio (Manage NuGet Packages / Updates)

References

CVE-2023-33141

References

  • GHSA-jrjw-qgr2-wfcg
  • https://nvd.nist.gov/vuln/detail/CVE-2023-33141
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141
  • https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2
  • https://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1

Tratcher published to microsoft/reverse-proxy

Jun 22, 2023

Published to the GitHub Advisory Database

Jun 23, 2023

Reviewed

Jun 23, 2023

Last updated

Jun 27, 2023

Related news

Microsoft Patch Tuesday June 2023: Edge type confusion, Git RCE, OneNote Spoofing, PGM RCE, Exchange RCE, SharePoint EoP

Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there […]

CVE-2023-33141

Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability