Lucene search

K
archlinuxArchLinuxASA-202103-20
HistoryMar 25, 2021 - 12:00 a.m.

[ASA-202103-20] dotnet-runtime: arbitrary code execution

2021-03-2500:00:00
security.archlinux.org
183

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.081 Low

EPSS

Percentile

94.2%

Arch Linux Security Advisory ASA-202103-20

Severity: High
Date : 2021-03-25
CVE-ID : CVE-2021-26701
Package : dotnet-runtime
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1698

Summary

The package dotnet-runtime before version 5.0.4.sdk104-1 is vulnerable
to arbitrary code execution.

Resolution

Upgrade to 5.0.4.sdk104-1.

pacman -Syu “dotnet-runtime>=5.0.4.sdk104-1”

The problem has been fixed upstream in version 5.0.4.sdk104.

Workaround

None.

Description

A remote code execution vulnerability exists in .NET 5.0 before Runtime
5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13
and SDK 3.1.113 due to how text encoding is performed in the
System.Text.Encodings.Web package, caused by a buffer overrun.

Impact

An attacker can execute arbitrary code by abusing the text encoding.

References

https://bugs.archlinux.org/task/69317
https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701
https://github.com/dotnet/announcements/issues/178
https://security.archlinux.org/CVE-2021-26701

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanydotnet-runtime< 5.0.4.sdk104-1UNKNOWN

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.081 Low

EPSS

Percentile

94.2%