CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
94.3%
Severity: High
Date : 2021-03-25
CVE-ID : CVE-2021-26701
Package : dotnet-runtime
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1698
The package dotnet-runtime before version 5.0.4.sdk104-1 is vulnerable
to arbitrary code execution.
Upgrade to 5.0.4.sdk104-1.
The problem has been fixed upstream in version 5.0.4.sdk104.
None.
A remote code execution vulnerability exists in .NET 5.0 before Runtime
5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13
and SDK 3.1.113 due to how text encoding is performed in the
System.Text.Encodings.Web package, caused by a buffer overrun.
An attacker can execute arbitrary code by abusing the text encoding.
https://bugs.archlinux.org/task/69317
https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701
https://github.com/dotnet/announcements/issues/178
https://security.archlinux.org/CVE-2021-26701
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | dotnet-runtime | < 5.0.4.sdk104-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
94.3%