Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-451481E4411A8ABA0FC8330FCF54F19BUnrestricted Upload of File with Dangerous Type
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.8%
A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka ‘Bond Denial of Service Vulnerability’.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| nuget/bond.core.csharp | ge | 3.0.0 | |
| nuget/bond.core.csharp | lt | 9.0.1 |
References
github.com/advisories/GHSA-rqrc-8q8f-cp9c
github.com/microsoft/bond/commit/3afea822c42dd0095fedb9e7db9ebb99165e7343
github.com/microsoft/bond/commit/b0fd4a15a7cae946dd2855122559ca59cc34dbea
msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1469
nvd.nist.gov/vuln/detail/CVE-2020-1469
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1469
www.nuget.org/packages/Bond.Core.CSharp/9.0.1
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.8%