GHSA-9cxh-gqpx-qc5m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9cxh-gqpx-qc5m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-9cxh-gqpx-qc5m/GHSA-9cxh-gqpx-qc5m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9cxh-gqpx-qc5m
- Aliases
- Published
- 2021-10-12T17:49:25Z
- Modified
- 2023-12-06T01:01:36.086732Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Credential Disclosure in System.DirectoryServices.Protocols
- Details
-
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.
Patches
Any .NET application that uses
System.DirectoryServices.Protocolswith a vulnerable version listed below on system based on Linux.Package name | Vulnerable versions | Secure versions ------------ | ---------------- | ------------------------- System.DirectoryServices.Protocols | 5.0.0 | 5.0.1
Other Details
- Announcement for this issue can be found at dotnet/announcements#202
- An Issue for this can be found at https://github.com/dotnet/runtime/issues/60301
- MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355
- Database specific
{ "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "nvd_published_at": "2021-10-13T01:15:00Z", "github_reviewed_at": "2021-10-12T17:48:55Z", "github_reviewed": true }- References
-
- https://github.com/dotnet/runtime/security/advisories/GHSA-9cxh-gqpx-qc5m
- https://nvd.nist.gov/vuln/detail/CVE-2021-41355
- https://github.com/dotnet/runtime/issues/60301
- https://github.com/dotnet/runtime
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41355
- https://www.oracle.com/security-alerts/cpujan2022.html
Affected packages
NuGet / System.DirectoryServices.Protocols
Package
- Name
- System.DirectoryServices.Protocols
- View open source insights on deps.dev
- Purl
- pkg:nuget/System.DirectoryServices.Protocols