[GHSA-2865-hh9g-w894] Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability #5707
Conversation
|
Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
udlose/advisory-improvement-5707
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull Request Overview
This PR updates the advisory details for CVE-2025-24070 by adding missing information for ASP.NET Core 6.0 and revising the modified timestamp.
- Revised the "modified" timestamp with a minor update
- Extended the "details" section to include ASP.NET Core 6.0 information with affected version details
- Maintained consistency with existing advisory formats
Comments suppressed due to low confidence (1)
advisories/github-reviewed/2025/03/GHSA-2865-hh9g-w894/GHSA-2865-hh9g-w894.json:10
- The updated details section adds ASP.NET Core 6.0 information but does not specify a patched version for the affected runtimes. If a patch is available, please include the version number; otherwise, consider clarifying that no patch is currently provided.
"details": "# Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability..."
|
@victorisr, @rbhanda: could you please update your Security Advisory for this CVE that is posted here to match the details in the PR. Also, the Severity for the CVE is labeled as Low - it should be High and there is no CVSS rating listed. Thank you! |
Hi @udlose CVE-2025-24070 is now updated to reflect the correct CVE details. Please do let us know of any additional concerns. We'll be happy to support. Thank you! |
@victorisr Thank you. You still need to update CVE-2025-24070 with the info/additions about ASP.NET Core 6.0 from this PR. |
|
Hi @udlose, I'm closing this PR because the description change adds general information about Dotnet that's out of scope for the GitHub Security Advisory. I see one of the maintainers has already issued a change to the advisory regarding the CVSS scoring, but for anything further related to the repo advisory for GHSA-2865-hh9g-w894 will have to go through the maintainers. Thanks for your interest in GHSA-2865-hh9g-w894 and have a good day. |
|
@helixplant Could you please reconsider? We at HeroDevs already did go thru the maintainers and were able to have them add .NET 6.0 to the top of the advisory. For some reason you guys didn't make it consistent throughout the document - see: |
|
Hi @udlose, we've reached out to the .NET team to review your request to add those version ranges to the repository GHSA and CVE. Unfortunately, we do not control the repository GHSA or the CVE record for this advisory as it was assigned by Microsoft.
In regard to the comment quoted above and the screenshot that you've included, it is a screenshot of the global GitHub Advisory and was changed as a result of this PR. The repository GHSA does not yet reflect v6.0.0 as being affected by this. Was this meant to be a screenshot of our global GitHub Advisory or the Microsoft Repository Advisory? |
|
@helixplant The screenshot was from GHSA-2865-hh9g-w894. I want to make sure that all of the documentation is consistent. As it currently stands, GHSA-2865-hh9g-w894 is inconsistent; it has 6.0.36 listed at the top (as it should), but 6.0 is not listed in any table like 8 and 9 are. That inconsistency is what I'm trying to correct with this PR. |
|
@udlose GHSA-2865-hh9g-w894 at aspnetcore repo has now been updated to reflect 6.0. Thanks |
|
Thank you for your contribution to the Advisory Database @udlose! We have made the relevant changes to GHSA-2865-hh9g-w894 and you should be able to see the updates immediately. We've included you on the advisory with an analyst credit as a result of this pull request. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
@helixplant @victorisr There are still some updates from this PR that aren't applied to the aspnetcore repo security advisory: GHSA-2865-hh9g-w894 1:
but should read:
2: The table for ASP.NET Core 6 is missing:
|
Updates
Comments
Added missing information about 6.0.36