Headline
GHSA-jrjw-qgr2-wfcg: YARP Denial of Service Vulnerability
Impact
A denial of service vulnerability exists in YARP.
Patches
If you’re using YARP 1.x, you should update to NuGet package version 1.1.2. If you’re using YARP 2.0.0, you should update to NuGet package version 2.0.1.
You can do so by updating the PackageReference
in your .csproj
file
<ItemGroup>
- <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" />
- <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" />
+ <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" />
+ <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" />
</ItemGroup>
or by selecting 2.0.1
in the NuGet UI inside Visual Studio (Manage NuGet Packages
/ Updates
)
References
Package
nuget Yarp.ReverseProxy (NuGet)
Affected versions
<= 1.1.1
= 2.0.0
Patched versions
1.1.2
2.0.1
Description
Impact
A denial of service vulnerability exists in YARP.
Patches
If you’re using YARP 1.x, you should update to NuGet package version 1.1.2.
If you’re using YARP 2.0.0, you should update to NuGet package version 2.0.1.
You can do so by updating the PackageReference in your .csproj file
<ItemGroup> - <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" /> - <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" />
- <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" />
- <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" /> </ItemGroup>
or by selecting 2.0.1 in the NuGet UI inside Visual Studio (Manage NuGet Packages / Updates)
References
CVE-2023-33141
References
- GHSA-jrjw-qgr2-wfcg
- https://nvd.nist.gov/vuln/detail/CVE-2023-33141
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141
- https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2
- https://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1
Tratcher published to microsoft/reverse-proxy
Jun 22, 2023
Published to the GitHub Advisory Database
Jun 23, 2023
Reviewed
Jun 23, 2023
Last updated
Jun 27, 2023
Related news
Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there […]
Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability