.NET Core Remote Code Execution Vulnerability
Released: Feb 9, 2021
Last updated: Mar 12, 2021
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2021-26701
- Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Metrics
- CVSS:3.1 8.1 / 7.1Base score metrics: 8.1 / Temporal score metrics: 7.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Exploit Code Maturity
Unproven
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- Yes
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
Is Visual Studio affected by this vulnerability?
Visual Studio contains the binaries for .NET, but Visual Studio is not vulnerable to this issue. The update is offered to include the .NET files so any future applications built in Visual Studio which include .NET functionality will be protected from this issue.
Acknowledgements
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
- -
- -
- -
- -
- -
Disclaimer
Revisions
Revised the Security Updates table to include PowerShell Core 7.0 and PowerShell Core 7.1 because these versions of PowerShell Core are also affected by this vulnerability. See https://github.com/PowerShell/Announcements-Internal/issues/23 for more information. Added Visual Studio 2019 for Mac to the Security Updates table as it is also affected by this vulnerability.
In the Security Updates table, added links to the Release Notes. This is an informational change only.
In the Security Updates table, added Visual Studio 2019 versions 16.9, 16.8, 16.7, and 16.4 and Visual Studio 2017 version 15.9. Visual Studio contains the binaries for .NET, but Visual Studio is not vulnerable to this issue. The update is offered to include the .NET files so any future applications built in Visual Studio which include .NET functionality will be protected from this issue.
Information published.