GHSA-vgwq-hfqc-58wv

Source

https://github.com/advisories/GHSA-vgwq-hfqc-58wv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-vgwq-hfqc-58wv/GHSA-vgwq-hfqc-58wv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vgwq-hfqc-58wv

Aliases

Published

2022-10-20T21:34:09Z

Modified

2024-12-06T05:38:33.518809Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

.NET Core Information Disclosure Vulnerability

Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1 and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

An information disclosure vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 when dumps created by the tool to collect crash dumps and dumps on demand are created with global read permissions on Linux and macOS.

Patches

If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/196
An Issue for this can be found at https://github.com/dotnet/runtime/issues/57174
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34485

Database specific

{
    "nvd_published_at": "2021-08-12T18:15:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-20T21:34:09Z"
}

References

Affected packages

NuGet / Microsoft.NETCore.App

Package

Name: Microsoft.NETCore.App; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.29

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

NuGet / Microsoft.NETCore.App.Runtime.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.rhel.6-x64

Package

Name: Microsoft.NETCore.App.Runtime.rhel.6-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.rhel.6-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-arm

Package

Name: Microsoft.NETCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-arm64

Package

Name: Microsoft.NETCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-x64

Package

Name: Microsoft.NETCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.win-x86

Package

Name: Microsoft.NETCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.18

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

NuGet / Microsoft.NETCore.App.Runtime.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-arm64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-arm

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.Mono.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.Mono.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.Mono.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.osx-x64

Package

Name: Microsoft.NETCore.App.Runtime.osx-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.osx-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-arm

Package

Name: Microsoft.NETCore.App.Runtime.win-arm; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-arm64

Package

Name: Microsoft.NETCore.App.Runtime.win-arm64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-arm64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-x64

Package

Name: Microsoft.NETCore.App.Runtime.win-x64; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x64

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

NuGet / Microsoft.NETCore.App.Runtime.win-x86

Package

Name: Microsoft.NETCore.App.Runtime.win-x86; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.NETCore.App.Runtime.win-x86

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8