Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202103-17
HistoryMar 25, 2021 - 12:00 a.m.

[ASA-202103-17] dotnet-sdk: multiple issues

2021-03-2500:00:00
security.archlinux.org
164

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.017 Low

EPSS

Percentile

87.5%

JSON

Arch Linux Security Advisory ASA-202103-17

Severity: High
Date : 2021-03-25
CVE-ID : CVE-2021-1721 CVE-2021-1723 CVE-2021-24112
Package : dotnet-sdk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1449

Summary

The package dotnet-sdk before version 5.0.3.sdk103-2 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution

Upgrade to 5.0.3.sdk103-2.

pacman -Syu “dotnet-sdk>=5.0.3.sdk103-2”

The problems have been fixed upstream in version 5.0.3.sdk103.

Workaround

None.

Description

  • CVE-2021-1721 (denial of service)

A security issue was found in dotnet-core before version 3.1.12. A
denial-of-service vulnerability exists when creating HTTPS web request
during X509 certificate chain building.

  • CVE-2021-1723 (denial of service)

A flaw was found in dotnet-core before version 3.1.11. Running
callbacks outside of locks results in Krestel deadlock using HTTP2.

  • CVE-2021-24112 (arbitrary code execution)

A remote code execution vulnerability exists in dotnet-core before
version 3.1.12 when parsing certain types of graphics files. This
vulnerability only exists on systems running on MacOS or Linux.

Impact

A malicious client can send crafted HTTP requests and crash the server,
or execute arbitrary code by reading a crafted file.

References

https://bugs.archlinux.org/task/69317
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1721
https://github.com/dotnet/announcements/issues/175
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1723
https://github.com/dotnet/announcements/issues/170
https://github.com/dotnet/aspnetcore/commit/20ad9fa5dcde635c13c6c83806c4701d5b7ec21e
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24112
https://github.com/dotnet/announcements/issues/176
https://security.archlinux.org/CVE-2021-1721
https://security.archlinux.org/CVE-2021-1723
https://security.archlinux.org/CVE-2021-24112

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanydotnet-sdk< 5.0.3.sdk103-2UNKNOWN

Related

archlinux 1
altlinux 19
fedora 6
nessus 43
redhatcve 3
prion 3
veracode 2
cve 3
ibm 1
mscve 3
osv 12
oraclelinux 5
redhat 10
github 4
kaspersky 2
threatpost 1
malwarebytes 1
rapid7blog 2
oracle 1
archlinux
archlinux
[ASA-202103-16] dotnet-runtime: multiple issues
2021-03-25 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package dotnet-aspnetcore-5.0 version 5.0.3-alt1
2021-02-18 00:00:00
Security fix for the ALT Linux 9 package dotnet-coreclr-2.1 version 2.1.25-alt1
2021-03-01 00:00:00
Security fix for the ALT Linux 10 package dotnet-bootstrap-7.0 version 6.0.0.preview.1-alt1
2021-02-23 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: dotnet5.0-5.0.103-1.fc33
2021-02-21 01:20:39
[SECURITY] Fedora 32 Update: dotnet5.0-5.0.103-1.fc32
2021-02-24 20:47:25
[SECURITY] Fedora 33 Update: dotnet3.1-3.1.112-1.fc33
2021-02-24 20:43:16
nessus
nessus
Security Update for .NET Core (February 2021) (macOS)
2021-02-09 00:00:00
Fedora 33 : dotnet5.0 (2021-b881ee9839)
2021-02-22 00:00:00
Fedora 33 : dotnet3.1 (2021-c3d7fc8949)
2021-02-25 00:00:00
redhatcve
redhatcve
CVE-2021-24112
2021-03-01 15:38:56
CVE-2021-1723
2021-01-13 17:17:20
CVE-2021-1721
2021-02-10 21:36:49
prion
prion
Remote code execution
2021-02-25 23:15:00
Denial of service
2021-01-12 20:15:00
Denial of service
2021-02-25 23:15:00
veracode
veracode
Remote Code Execution (RCE)
2023-05-26 05:48:32
Denial Of Service (DoS)
2021-01-14 04:52:37
cve
cve
CVE-2021-24112
2021-02-25 23:15:00
CVE-2021-1723
2021-01-12 20:15:00
CVE-2021-1721
2021-02-25 23:15:00
ibm
ibm
Security Bulletin: Vulnerabilty in the .NET Core Framework may affect IBM Robotic Process Automation and could allow an attacker to remotely execute arbitrary code.
2023-01-04 20:16:40
mscve
mscve
.NET Core Remote Code Execution Vulnerability
2021-02-09 08:00:00
ASP.NET Core and Visual Studio Denial of Service Vulnerability
2021-01-12 08:00:00
.NET Core and Visual Studio Denial of Service Vulnerability
2021-02-09 08:00:00
osv
osv
CVE-2021-24112
2021-02-25 23:15:16
BIT-dotnet-2021-24112
2024-03-06 11:00:11
BIT-dotnet-sdk-2021-24112
2024-03-06 11:00:21
oraclelinux
oraclelinux
dotnet3.1 security and bugfix update
2021-01-15 00:00:00
dotnet5.0 security and bugfix update
2021-01-15 00:00:00
dotnet3.1 security and bugfix update
2021-02-11 00:00:00
redhat
redhat
(RHSA-2021:0096) Important: .NET 5.0 on Red Hat Enterprise Linux security and bugfix update
2021-01-13 14:12:56
(RHSA-2021:0095) Important: dotnet3.1 security and bugfix update
2021-01-13 14:12:53
(RHSA-2021:0473) Important: .NET 5.0 on Red Hat Enterprise Linux security and bugfix update
2021-02-10 16:27:18
github
github
ASP.NET Core and Visual Studio Denial of Service Vulnerability
2022-05-24 17:38:51
Denial of service in .NET core
2022-05-24 17:43:10
.NET Core Remote Code Execution Vulnerability
2021-04-21 19:38:01
kaspersky
kaspersky
KLA12073 Multiple vulnerabilities in Microsoft Developer Tools
2021-02-09 00:00:00
KLA12040 Multiple vulnerability in Microsoft Developer Tools
2021-01-12 00:00:00
threatpost
threatpost
Actively Exploited Windows Kernel Bug Allows Takeover
2021-02-09 22:33:08
malwarebytes
malwarebytes
Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits
2021-02-10 17:26:33
rapid7blog
rapid7blog
Patch Tuesday - February 2021
2021-02-09 23:51:27
Patch Tuesday - January 2021
2021-01-12 23:59:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.017 Low

EPSS

Percentile

87.5%

JSON
Related for ASA-202103-17
archlinux1altlinux19fedora6nessus43redhatcve3prion3veracode2cve3ibm1mscve3osv12oraclelinux5redhat10github4kaspersky2threatpost1malwarebytes1rapid7blog2oracle1