8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka ‘.NET Framework Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0606.
Recent assessments:
zeroSteiner at May 20, 2020 1:02pm UTC reported:
A vulnerability exists in how Microsoft’s XPS documents are processed using .NET that can be leveraged to execute code using a deserialization attack. XPS files are effectively ZIP archives containing multiple member, of which ones .fdoc
, and .fpage
can be used as triggers. While this vulnerability was patched in May of 2020, it’s related to a similar vulnerability patched in January of 2020, which patched the same usage of the XPS document’s .fdseq
member file types.
The default XPS viewer in Windows does not use .NET to render the XPS document making it unaffected by this vulnerability. A vulnerable application would need to be configured to process a maliciously crafted XPS document. Due to this, it is unclear if in practice this vulnerability will require user interaction or authentication to leverage.
See: <https://www.mdsec.co.uk/2020/05/analysis-of-cve-2020-0605-code-execution-using-xps-files-in-net/>
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C