GHSA-vmch-3w2x-vhgq · Severity: high · Ecosystem: nuget — .NET Denial of Service Vulnerability
.NET and Visual Studio Denial of Service Vulnerability
Conclusion & alert: CVE-2023-38180 is rated Active Exploitation (76.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.88%). Core evidence: CISA KEV confirms active exploitation (added 2023-08-09) affecting Microsoft / .NET Core and Visual Studio. a weakness (CWE-400) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability · CISA KEV detail
: 2023-08-09
: 2023-08-30
: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-11-21 | 47.97% | 0.88% | -47.09% |
| 2 | 2025-11-18 | 0.88% | 47.97% | +47.09% |
| 3 | 2025-10-29 | — | 0.88% | — |
Full EPSS history (26 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-vmch-3w2x-vhgq · Severity: high · Ecosystem: nuget — .NET Denial of Service Vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2023-38180: 4 source package rows (dotnet6-build, dotnet6-runtime, dotnet7-build, dotnet7-runtime); 14 state rows across 4 repos (3.18-community, 3.19-community, 3.20-community, edge-community); fixed 14, open 0. | https://security.alpinelinux.org/vuln/CVE-2023-38180 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2023-38180 |
ubuntu
|
medium | CVE-2023-38180 medium priority: Ubuntu including 2 source packages (dotnet6, dotnet7), 14 status rows across 7 suites (bionic, focal, jammy, lunar, trusty, upstream, xenial): DNE 8, released 6. | https://ubuntu.com/security/CVE-2023-38180 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| microsoft | .net | >= 6.0.0, < 6.0.21 | cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:* |
| microsoft | .net | >= 7.0.0, < 7.0.10 | cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:* |
| microsoft | asp.net_core | >= 2.1, < 2.1.40 | cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:* |
| microsoft | visual_studio_2022 | >= 17.2.0, < 17.2.18 | cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:* |
| microsoft | visual_studio_2022 | >= 17.4.0, < 17.4.10 | cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:* |
| microsoft | visual_studio_2022 | >= 17.6.0, < 17.6.6 | cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| fedoraproject | fedora | 38 | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |