PT-2021-2080 · Microsoft+3 · System.Text.Encodings.Web+4

Published

2021-02-09

·

Updated

2024-03-06

·

CVE-2021-26701

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: .NET Core versions 2.1, 3.1, and 5.0 System.Text.Encodings.Web versions 4.0.0 through 4.5.0 System.Text.Encodings.Web versions 4.6.0 through 4.7.1 System.Text.Encodings.Web version 5.0.0
Description: The vulnerability is related to insufficient input validation in the .NET Core platform, allowing a remote attacker to execute arbitrary code. A remote code execution issue exists in .NET 5 and .NET Core due to how text encoding is performed. The vulnerable package is System.Text.Encodings.Web.
Recommendations: For .NET Core versions 2.1 and 3.1, update the System.Text.Encodings.Web package to a secure version. For System.Text.Encodings.Web versions 4.0.0 through 4.5.0, upgrade to version 4.5.1. For System.Text.Encodings.Web versions 4.6.0 through 4.7.1, upgrade to version 4.7.2. For System.Text.Encodings.Web version 5.0.0, upgrade to version 5.0.1. As a temporary workaround, consider restricting the use of the System.Text.Encodings.Web package until a patch is applied.

Fix

RCE

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2021-2098
ALT-PU-2021-2109
ALT-PU-2021-2110
ALT-PU-2021-2111
ALT-PU-2021-2112
ALT-PU-2022-1544
ALT-PU-2022-1545
ALT-PU-2022-1546
ALT-PU-2022-1547
ALT-PU-2022-1548
BDU:2021-00931
BIT-DOTNET-2021-26701
BIT-DOTNET-SDK-2021-26701
CESA-2021_0788
CESA-2021_0790
CESA-2021_0793
CVE-2021-26701
GHSA-GHHP-997W-QR28
RHSA-2021:0787
RHSA-2021:0788
RHSA-2021:0789
RHSA-2021:0790
RHSA-2021:0793
RHSA-2021:0794
RHSA-2021_0788
RHSA-2021_0790
RHSA-2021_0793

Affected Products

Alt Linux
Centos
Net Core
Red Hat
System.Text.Encodings.Web