GHSA-6qmf-mmc7-6c2p

Source

https://github.com/advisories/GHSA-6qmf-mmc7-6c2p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6qmf-mmc7-6c2p/GHSA-6qmf-mmc7-6c2p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6qmf-mmc7-6c2p

Aliases

CVE-2023-29337

Published

2023-06-14T16:44:21Z

Modified

2024-06-03T18:48:25.031799Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

NuGet Client Remote Code Execution Vulnerability

Details

Description

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected.

Affected software

This issue only affects Linux systems.

NuGet & NuGet Packages

Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.4.1 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.3.2 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.2.3 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.0.4 version or earlier.
Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 5.11.4

.NET SDK(s)

Any .NET SDK 7.0.106 or earlier, or 7.0.303 or earlier
Any .NET SDK 6.0.117 or earlier, or 6.0.312 or earlier, or 6.0.409 or earlier.

Patches

To fix the issue, please install the latest version of .NET 6.0 or .NET 7.0 and NuGet (NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, NuGet.PackageManagement versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.

If you're using NuGet.exe 6.6.0 or lower, you should download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe.
If you're using NuGet.exe 6.5.0 or lower, you should download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe.
If you're using NuGet.exe 6.4.1 or lower, you should download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe.
If you're using NuGet.exe 6.3.2 or lower, you should download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe.
If you're using NuGet.exe 6.2.3 or lower, you should download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe.
If you're using NuGet.exe 6.0.4 or lower, you should download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe.
If you're using NuGet.exe 5.11.4 or lower, you should download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe.
If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.
If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.
If you're using .NET 6.0, you should download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0.

Other details

Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/69

MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337

Database specific

{
    "nvd_published_at": "2023-06-14T15:15:09Z",
    "cwe_ids": [
        "CWE-367"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-14T16:44:21Z"
}

References

Affected packages

NuGet / Microsoft.Build.NuGetSdkResolver

Package

Name: Microsoft.Build.NuGetSdkResolver; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Build.NuGetSdkResolver

Affected ranges

Affected versions

5.*

5.9.0-rc.7122

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.2

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Affected versions

6.*

6.3.0

6.3.1

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.2

Affected versions

6.*

6.4.0

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.1

Affected versions

6.*

6.5.0

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.1

Affected versions

6.*

6.6.0

NuGet / Microsoft.Build.NuGetSdkResolver

Package

Name: Microsoft.Build.NuGetSdkResolver; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Build.NuGetSdkResolver

Affected ranges

Affected versions

5.*

5.10.0-rc.7240

NuGet / Microsoft.Build.NuGetSdkResolver

Package

Name: Microsoft.Build.NuGetSdkResolver; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Build.NuGetSdkResolver

Affected ranges

Affected versions

5.*

5.11.0-rc.10

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.2

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Affected versions

6.*

6.3.0

6.3.1

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.2

Affected versions

6.*

6.4.0

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.1

Affected versions

6.*

6.5.0

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.1

Affected versions

6.*

6.6.0

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.2

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Affected versions

6.*

6.3.0

6.3.1

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.2

Affected versions

6.*

6.4.0

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.1

Affected versions

6.*

6.5.0

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.1

Affected versions

6.*

6.6.0

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.2

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Affected versions

6.*

6.3.0

6.3.1

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.2

Affected versions

6.*

6.4.0

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.1

Affected versions

6.*

6.5.0

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.1

Affected versions

6.*

6.6.0

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.2

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Affected versions

6.*

6.3.0

6.3.1

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.2

Affected versions

6.*

6.4.0

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.1

Affected versions

6.*

6.5.0

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.1

Affected versions

6.*

6.6.0

NuGet / NuGet.PackageManagement

Package

Name: NuGet.PackageManagement; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.PackageManagement

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

5.11.5

Affected versions

4.*

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.7.0-preview1-4986

5.*

5.7.1

5.7.2

5.9.0

5.9.1

5.9.2

5.9.3

5.10.0

5.11.0

5.11.2

5.11.3

NuGet / NuGet.Commands

Package

Name: NuGet.Commands; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Commands

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

5.11.5

Affected versions

4.*

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.7.0-preview1-4986

5.*

5.7.1

5.7.2

5.9.0

5.9.1

5.9.2

5.9.3

5.10.0

5.11.0

5.11.2

5.11.3

NuGet / NuGet.CommandLine

Package

Name: NuGet.CommandLine; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.CommandLine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

5.11.5

Affected versions

4.*

4.6.2

4.6.3

4.6.4

4.7.1

4.7.2

4.7.3

4.8.2

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

5.*

5.0.2

5.1.0

5.2.0

5.2.1

5.3.0

5.3.1

5.4.0

5.5.1

5.6.0

5.7.0

5.7.1

5.7.2

5.8.0

5.8.1

5.9.1

5.9.2

5.9.3

5.10.0

5.11.0

5.11.2

5.11.3

NuGet / NuGet.Common

Package

Name: NuGet.Common; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

5.11.5

Affected versions

4.*

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.7.0-preview1-4986

5.*

5.7.1

5.7.2

5.9.0

5.9.1

5.9.2

5.9.3

5.10.0

5.11.0

5.11.2

5.11.3

NuGet / NuGet.Protocol

Package

Name: NuGet.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/NuGet.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.7.0

Fixed

5.11.5

Affected versions

5.*

5.7.1

5.7.2

5.9.0

5.9.1

5.9.2

5.9.3

5.10.0

5.11.0

5.11.2

5.11.3