Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:41035
HistoryJun 27, 2023 - 9:14 a.m.

Remote Code Execution (RCE)

2023-06-2709:14:05
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
55
vulnerability
remote code execution
linq queries
public methods
malicious code
software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

72.6%

system.linq.dynamic.core is vulnerable to Remote Code Execution (RCE). The vulnerability is due to Linq queries having access to public methods on classes retrieved via the Where(), All(), Any() and .OrderBy() methods which allows an attacker to execute malicious code on the system.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

72.6%