PT-2022-7017 · Microsoft+7 · Net Core 3.1+9
Edward Thomson
·
Published
2022-10-11
·
Updated
2025-01-02
·
CVE-2022-41032
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
- NuGet versions 6.3.0 and earlier
- NuGet versions 6.2.1 and earlier
- NuGet versions 6.0.2 and earlier
- NuGet versions 5.11.2 and earlier
- NuGet versions 5.9.2 and earlier
- NuGet versions 5.7.2 and earlier
- NuGet versions 4.9.5 and earlier
- .NET 6.0 versions prior to 6.0.10
- .NET Core 3.1 versions prior to 3.1.30
Description
A vulnerability exists in .NET and NuGet clients where a malicious actor could cause a user to execute arbitrary code. This issue is related to insufficient access control.
Recommendations
- If you're using NuGet.exe 6.3.0 or lower, download and install 6.3.1.
- If you're using NuGet.exe 6.2.1 or lower, download and install 6.2.2.
- If you're using NuGet.exe 6.0.2 or lower, download and install 6.0.3.
- If you're using NuGet.exe 5.11.2 or lower, download and install 5.11.3.
- If you're using NuGet.exe 5.9.2 or lower, download and install 5.9.3.
- If you're using NuGet.exe 5.7.2 or lower, download and install 5.7.3.
- If you're using NuGet.exe 4.9.5 or lower, download and install 4.9.6.
- If you're using .NET Core 6.0, download and install Runtime 6.0.10 or SDK 6.0.110.
- If you're using .NET Core 3.1, download and install Runtime 3.1.30 or SDK 3.1.424.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Net 6.0
Net Core 3.1
Alt Linux
Almalinux
Centos
Linuxmint
Nuget
Red Hat
Rocky Linux
Ubuntu