CVE-2023-29337

Name of the Vulnerable Software and Affected Versions NuGet versions 6.6.0 and earlier NuGet versions 6.5.0 and earlier NuGet versions 6.4.1 and earlier NuGet versions 6.3.2 and earlier NuGet versions 6.2.3 and earlier NuGet versions 6.0.4 and earlier NuGet version 5.11.4 .NET SDK versions 7.0.106 and earlier, or 7.0.303 and earlier .NET SDK versions 6.0.117 and earlier, or 6.0.312 and earlier, or 6.0.409 and earlier

Description A vulnerability exists in NuGet and .NET on Linux, where a potential race condition can lead to a symlink attack. This issue allows a remote attacker to execute arbitrary code. The vulnerability is related to errors in synchronization when using a shared resource. Non-Linux platforms are not affected.

Recommendations If you're using NuGet.exe 6.6.0 or lower, download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe. If you're using NuGet.exe 6.5.0 or lower, download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe. If you're using NuGet.exe 6.4.1 or lower, download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe. If you're using NuGet.exe 6.3.2 or lower, download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe. If you're using NuGet.exe 6.2.3 or lower, download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe. If you're using NuGet.exe 6.0.4 or lower, download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe. If you're using NuGet.exe 5.11.4 or lower, download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe. If you're using .NET 7.0, download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0. If you're using .NET 6.0, download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0.