As mentioned in the vulneribility report published to dotnet/aspnetcore, System.IdentityModel.Tokens.Jwt version <5.7.0 OR >=6.5.0 and <6.34.0 OR >=7.0.0 and <7.1.2 is vulnerable to denial of service attack.
The link to the report it https://github.com/advisories/GHSA-59j7-ghrg-fj52
The highest aspNetCore.HealthChecks.UI version compatible with .NET 6 is version 7.0.2. This version depends upon the nuget package "KubernetesClient @11.0.44". And, this version of KubernetesClient depends upon the package "System.IdentityModel.Tokens.Jwt @6.32.0".
Hence, any .NET 6 applications using aspNetCore.HealthChecks.UI latest version are vulnerable to this attack.
Resolution:
Upgrade the dependency of aspNetCore.HealthChecks.UI package on Kubernetes.Client package to a minimum of version 13.0.11 as this version of KubernetesClient uses System.IdentityModel.Tokens.Jwt@7.1.2 which is the patched version and is safe to use.
As mentioned in the vulneribility report published to dotnet/aspnetcore, System.IdentityModel.Tokens.Jwt version <5.7.0 OR >=6.5.0 and <6.34.0 OR >=7.0.0 and <7.1.2 is vulnerable to denial of service attack. The link to the report it https://github.com/advisories/GHSA-59j7-ghrg-fj52
The highest aspNetCore.HealthChecks.UI version compatible with .NET 6 is version 7.0.2. This version depends upon the nuget package "KubernetesClient @11.0.44". And, this version of KubernetesClient depends upon the package "System.IdentityModel.Tokens.Jwt @6.32.0". Hence, any .NET 6 applications using aspNetCore.HealthChecks.UI latest version are vulnerable to this attack.
Resolution: Upgrade the dependency of aspNetCore.HealthChecks.UI package on Kubernetes.Client package to a minimum of version 13.0.11 as this version of KubernetesClient uses System.IdentityModel.Tokens.Jwt@7.1.2 which is the patched version and is safe to use.