How severe is GHSA-q7cg-43mg-qp69?

GHSA-q7cg-43mg-qp69 has a CVSS score of 5.5/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-q7cg-43mg-qp69?

GHSA-q7cg-43mg-qp69 affects the following packages: Microsoft.AspNetCore.Authentication.JwtBearer (NuGet), Microsoft.AspNetCore.Authentication.JwtBearer (NuGet), Microsoft.AspNetCore.Authentication.JwtBearer (NuGet). Ecosystems affected: NuGet.

How do I fix GHSA-q7cg-43mg-qp69?

Update Microsoft.AspNetCore.Authentication.JwtBearer to 2.1.29 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q7cg-43mg-qp69 is resolved across your whole dependency graph.

How do I detect GHSA-q7cg-43mg-qp69 in my NuGet dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Microsoft.AspNetCore.Authentication.JwtBearer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-q7cg-43mg-qp69 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-q7cg-43mg-qp69?

O3 pinpoints whether GHSA-q7cg-43mg-qp69 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-q7cg-43mg-qp69 actively exploited in the wild?

No public exploit code has been indexed for GHSA-q7cg-43mg-qp69 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-q7cg-43mg-qp69?

GHSA-q7cg-43mg-qp69 has an EPSS (Exploit Prediction Scoring System) score of 1.1%, placing it in the 62th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-q7cg-43mg-qp69 published, and has it been updated?

GHSA-q7cg-43mg-qp69 was published on August 25, 2021 and was last updated on November 28, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

.NET NuGet

GHSA-q7cg-43mg-qp69

MEDIUM

ASP.NET Core Information Disclosure Vulnerability

Also known asBIT-aspnet-core-2021-34532CVE-2021-34532

Published

Aug 25, 2021

Updated

Nov 28, 2024

Affected

3 pkgs

Patched

3 / 3

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

1.1%probability of exploitation in next 30 days

Lower Risk62th percentile+0.85%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

3 pkgs affected

.NETMicrosoft.AspNetCore.Authentication.JwtBearer.NETMicrosoft.AspNetCore.Authentication.JwtBearer.NETMicrosoft.AspNetCore.Authentication.JwtBearer

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

An information disclosure vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where a JWT token is logged if it cannot be parsed.

Patches

If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1.
If your application is using .NET Core 2.1 running on .NET Framework see the Updating .NET Core 2.1 on .NET Framework section below.

<a name="updating-2.1"></a> Updating .NET Core 2.1 on .NET Framework

If you are running .NET Core 2.1 on .NET Framework you need to check your projects for dependencies and update them accordingly.

Direct dependencies

Direct dependencies are discoverable by examining your csproj file. They can be fixed by editing the project file or using NuGet to update the dependency.

Transitive dependencies

Transitive dependencies occur when you add a package to your project that in turn relies on another package. For example, if Contoso publishes a package Contoso.Utility which, in turn, depends on Contoso.Internals and you add the Contoso.Utility package to your project now your project has a direct dependency on Contoso.Utility and, because Contoso.Utility depends 'Contoso.Internals', your application gains a transitive dependency on the Contoso.Internals package.

Transitive dependencies are reviewable in two ways:

In the Visual Studio Solution Explorer window, which supports searching.
By examining the project.assets.json file contained in the obj directory of your project for csproj based projects

The project.assets.json files are the authoritative list of all packages used by your project, containing both direct and transitive dependencies.

There are two ways to view transitive dependencies. You can either use Visual Studio’s Solution Explorer, or you can review the project.assets.json file).

<a name="vs-solution-explorer"></a>Using Visual Studio Solution Explorer

To use Solution Explorer, open the project in Visual Studio, and then press Ctrl+; to activate the search in Solution Explorer. Search for the vulnerable package and make a note of the version numbers of any results you find.

For example, search for Microsoft.AspNetCore.Authentication.JwtBearer and update the package to the latest version

<a name="project-assets-json"></a> Manually reviewing project.assets.json

Open the project.assets.json file from your project’s obj directory in your editor. We suggest you use an editor that understands JSON and allows you to collapse and expand nodes to review this file. Visual Studio and Visual Studio Code provide JSON friendly editing.

Search the project.assets.json file for the vulnerable package, using the format packagename/ for each of the package names from the preceding table. If you find the assembly name in your search:

Examine the line on which they are found, the version number is after the /.
Compare to the vulnerable versions table.

For example, a search result that shows Microsoft.AspNetCore.Authentication.JwtBearer/2.1.0 is a reference to version 2.1.1 of Microsoft.AspNetCore.Authentication.JwtBearer.

If your project.assets.json file includes references to the vulnerable package, then you need to fix the transitive dependencies.

If you have not found any reference to any vulnerable packages, this means either

None of your direct dependencies depend on any vulnerable packages, or
You have already fixed the problem by updating the direct dependencies.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/195
An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/35246
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34532

Affected Packages

3 total 3 fixed

Ecosystem	Package	Vulnerable range	Fix
.NETNuGet	`Microsoft.AspNetCore.Authentication.JwtBearer`	≥ 2.1.0&&< 2.1.29	2.1.29
.NETNuGet	`Microsoft.AspNetCore.Authentication.JwtBearer`	≥ 3.0.0&&< 3.1.18	3.1.18
.NETNuGet	`Microsoft.AspNetCore.Authentication.JwtBearer`	≥ 5.0.0&&< 5.0.9	5.0.9

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Microsoft.AspNetCore.Authentication.JwtBearer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update Microsoft.AspNetCore.Authentication.JwtBearer to 2.1.29 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q7cg-43mg-qp69 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q7cg-43mg-qp69 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-q7cg-43mg-qp69. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1 and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An information disclosure vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where a JWT token is logged if it cannot be parsed. ### Patches * If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://do

O3 Security · Impact-Aware SCA

Is GHSA-q7cg-43mg-qp69 in your dependencies?

O3 detects GHSA-q7cg-43mg-qp69 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works