Moderate severityNVD Advisory· Published Aug 9, 2022· Updated May 29, 2025

.NET Spoofing Vulnerability

CVE-2022-34716

Description

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A spoofing vulnerability in .NET Core 3.1 and .NET 6.0 could allow unauthorized disclosure of privileged information.

The vulnerability, categorized as an information disclosure issue, exists in .NET Core 3.1 and .NET 6.0. It affects the System.Security.Cryptography.Xml package and the Microsoft.AspNetCore.App.Runtime packages [1]. The root cause is not disclosed in detail, but the advisory indicates that an attacker could potentially exploit this to access privileged information [3].

Exploitation does not require any known mitigating factors, and Microsoft has not identified any prerequisites that would reduce the risk [1]. The attack surface appears to be network-based, as the vulnerability resides in ASP.NET Core runtime components that handle client requests. No user interaction is necessary for exploitation.

Successful exploitation could lead to unauthorized access to sensitive data that the affected application processes. The confidentiality impact is high, as privileged information could be disclosed to an attacker [3].

Microsoft released patches for both .NET Core 3.1 (upgrade to 3.1.28 or later) and .NET 6.0 (upgrade to 6.0.8 or later). Developers should update the affected runtime packages immediately to remediate the vulnerability [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
System.Security.Cryptography.XmlNuGet	< 4.7.1	4.7.1
System.Security.Cryptography.XmlNuGet	>= 5.0.0, < 6.0.1	6.0.1
Microsoft.AspNetCore.App.Runtime.win-x64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.win-x64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.win-x86NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.win-x86NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-armNuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-armNuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.win-armNuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.win-armNuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet	>= 6.0.0, < 6.0.8	6.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet	>= 3.1.0, < 3.1.28	3.1.28
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet	>= 6.0.0, < 6.0.8	6.0.8

Affected products

osv-coords37 versions
pkg:bitnami/dotnet pkg:bitnami/dotnet-sdk pkg:bitnami/powershell pkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm pkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64 pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64 pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64 pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64 pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64 pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64 pkg:nuget/microsoft.aspnetcore.app.runtime.win-arm pkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64 pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64 pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86 pkg:nuget/system.security.cryptography.xml pkg:rpm/almalinux/aspnetcore-runtime-3.1 pkg:rpm/almalinux/aspnetcore-runtime-6.0 pkg:rpm/almalinux/aspnetcore-targeting-pack-3.1 pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0 pkg:rpm/almalinux/dotnet pkg:rpm/almalinux/dotnet-apphost-pack-3.1 pkg:rpm/almalinux/dotnet-apphost-pack-6.0 pkg:rpm/almalinux/dotnet-host pkg:rpm/almalinux/dotnet-hostfxr-3.1 pkg:rpm/almalinux/dotnet-hostfxr-6.0 pkg:rpm/almalinux/dotnet-runtime-3.1 pkg:rpm/almalinux/dotnet-runtime-6.0 pkg:rpm/almalinux/dotnet-sdk-3.1 pkg:rpm/almalinux/dotnet-sdk-3.1-source-built-artifacts pkg:rpm/almalinux/dotnet-sdk-6.0 pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifacts pkg:rpm/almalinux/dotnet-targeting-pack-3.1 pkg:rpm/almalinux/dotnet-targeting-pack-6.0 pkg:rpm/almalinux/dotnet-templates-3.1 pkg:rpm/almalinux/dotnet-templates-6.0 pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.8+ 36 more
- (no CPE)range: >= 6.0.0, < 6.0.8
- (no CPE)range: >= 6.0.0, < 6.0.8
- (no CPE)range: >= 7.0.0, < 7.0.12
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 6.0.0, < 6.0.8
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: >= 3.1.0, < 3.1.28
- (no CPE)range: < 4.7.1
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 6.0.108-1.el8_6
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 3.1.422-1.el8_6
- (no CPE)range: < 3.1.422-1.el8_6
- (no CPE)range: < 6.0.108-1.el9_0
- (no CPE)range: < 6.0.108-1.el9_0
- (no CPE)range: < 3.1.28-1.el8_6
- (no CPE)range: < 6.0.8-1.el9_0
- (no CPE)range: < 3.1.422-1.el8_6
- (no CPE)range: < 6.0.108-1.el9_0
- (no CPE)range: < 6.0.108-1.el9_0
Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5
Range: 15.9.0
Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5
Range: 16.11.0
Microsoft/Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)v5
Range: 15.0.0
Microsoft/Microsoft Visual Studio 2022 version 17.0v5
Range: 17.0.0
Microsoft/Microsoft Visual Studio 2022 version 17.2v5
Range: 17.2.0
Microsoft/.NET 6.0v5
Range: 6.0.0
Microsoft/.NET Core 3.1v5
Range: 3.1
Microsoft/PowerShell 7.0v5
Range: 7.0.0
Microsoft/PowerShell 7.2v5
Range: 7.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vh55-786g-wjwjghsaADVISORY
msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2022-34716ghsaADVISORY
github.com/dotnet/announcements/issues/232ghsaWEB
github.com/dotnet/aspnetcore/issues/43166ghsaWEB
github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwjghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000