First published: Tue Mar 05 2019(Updated: )
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.
Credit: secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/dotnet | <2.1.9 | 2.1.9 |
redhat/dotnet | <2.2.3 | 2.2.3 |
Microsoft Visual Studio 2017 | ||
Apple macOS | ||
Microsoft Nuget | =4.3.1 | |
Microsoft Nuget | =4.4.2 | |
Microsoft Nuget | =4.5.2 | |
Microsoft Nuget | =4.6.3 | |
Microsoft Nuget | =4.7.2 | |
Microsoft Nuget | =4.8.2 | |
Microsoft Nuget | =4.9.4 | |
Mono-project Mono Framework | =5.18.0.223 | |
Mono-project Mono Framework | =5.20.0 | |
Microsoft .net Core Sdk | =1.1 | |
Microsoft .NET Core | =1.0 | |
Microsoft .NET Core | =1.1 | |
Microsoft .net Core Sdk | =2.1.500 | |
Microsoft .NET Core | =2.1 | |
Microsoft .net Core Sdk | =2.2.100 | |
Microsoft .NET Core | =2.2 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-0757 is a tampering vulnerability in the NuGet Package Manager for Linux and Mac that allows an authenticated attacker to modify a NuGet package's folder structure.
The severity of CVE-2019-0757 is high, with a severity value of 6.5.
The affected software includes NuGet Package Manager versions 4.3.1 to 4.9.4, Microsoft Visual Studio 2017, Microsoft .NET Core SDK versions 1.1, 2.1.500, and 2.2.100, and Mono-project Mono Framework versions 5.18.0.223 and 5.20.0.
To fix CVE-2019-0757, update to NuGet Package Manager version 4.9.5 or later.
You can find more information about CVE-2019-0757 in the following references: [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:1259), [Microsoft Security Guidance Advisory](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:0544).