system.data.common is vulnerable to remote code execution (RCE). The vulnerability exists as it allows unrestricted polymorphic deserialization in DataSet without proper validation.
CPE | Name | Operator | Version |
---|---|---|---|
system.data.common | le | 4.3.0 | |
system.data.common | le | 4.3.0 |
packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html
packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
github.com/dotnet/announcements/issues/159
github.com/dotnet/runtime/commit/37cf387bda9c868cd0290b4f7c2b19517abe8da2
github.com/dotnet/runtime/issues/39296
github.com/dotnet/runtime/pull/39304
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
www.exploitalert.com/view-details.html?id=35992