.NET Core Remote Code Execution Vulnerability
Critical severity
GitHub Reviewed
Published
Apr 21, 2021
to the GitHub Advisory Database
•
Updated Jan 7, 2024
Package
Affected versions
>= 4.0.0, < 4.5.1
>= 4.6.0, < 4.7.2
= 5.0.0
Patched versions
4.5.1
4.7.2
5.0.1
Description
Published by the National Vulnerability Database
Feb 25, 2021
Reviewed
Apr 21, 2021
Published to the GitHub Advisory Database
Apr 21, 2021
Last updated
Jan 7, 2024
.NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1, and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.
Discussion
Discussion for this issue can be found at dotnet/runtime#49377
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
The vulnerable package is
System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability.Vulnerable package versions:
Any .NET 5, .NET Core, or .NET Framework based application that uses the System.Text.Encodings.Web package with a vulnerable version listed below.
Please validate that each of the .NET versions you are using is in support. Security updates are only provided for supported .NET versions.
References