CVE-2023-35391: 
vulnerability analysis and mitigation

ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability (CVE-2023-35391) was identified and disclosed on June 14, 2023. The vulnerability affects multiple Microsoft products including ASP.NET Core versions 2.1 through 2.1.40, .NET versions 6.0.0 through 6.0.21, 7.0.0 through 7.0.10, and Visual Studio 2022 versions 17.2.0 through 17.6.6 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction. Microsoft's assessment differs slightly with a CVSS score of 6.2 (Medium) and vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability primarily affects the confidentiality of the system, with potential for information disclosure. The CVSS scoring indicates high impact on confidentiality while maintaining no impact on integrity or availability of the affected systems (NVD).

Microsoft has released patches to address this vulnerability. Users are advised to update to the latest versions of the affected software: ASP.NET Core beyond version 2.1.40, .NET beyond versions 6.0.21 and 7.0.10, and Visual Studio 2022 versions beyond 17.2.18, 17.4.10, and 17.6.6 (Microsoft Advisory).