.NET Core Remote Code Execution Vulnerability
Released: Feb 9, 2021
Last updated: Feb 24, 2021
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2021-24112
- Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
- Metrics
- CVSS:3.1 8.1 / 7.3Base score metrics: 8.1 / Temporal score metrics: 7.3
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Exploit Code Maturity
Proof-of-Concept
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
How could an attacker exploit this vulnerability?
When a .NET application utilizing libgdiplus on a non-Windows system accepts input, an attacker could send a specially crafted request that could result in remote code execution.
Does this vulnerability affect applications running on Windows?
No, Windows utilizes GDI+ to process these requests, and is not affected by this vulnerability.
Acknowledgements
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
Disclaimer
Revisions
In the Security Updates table, added Visual Studio 2019 for Mac and Mono 6.12.0 because they are also affected by CVE-2021-24112. Microsoft recommends that customers running either of these products install the updates to be fully protected from the vulnerability.
Information published.