high
7.8
Advisory Published
Advisory Published
Updated

CVE-2022-41032: NuGet Client Elevation of Privilege Vulnerability

First published: Tue Oct 11 2022(Updated: )

## Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code. ## Affected software ### NuGet & NuGet Packages - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.9.2 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.7.2 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 4.9.5 version or earlier. ### .NET SDK(s) - Any .NET 6.0 application running on .NET 6.0.9 or earlier. - Any .NET 3.1 application running on .NET Core 3.1.29 or earlier. ## Patches To fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. - If you're using NuGet.exe 6.3.0 or lower, you should download and install 6.3.1 from https://dist.nuget.org/win-x86-commandline/v6.3.1/nuget.exe . - If you're using NuGet.exe 6.2.1 or lower, you should download and install 6.2.2 from https://dist.nuget.org/win-x86-commandline/v6.2.2/nuget.exe . - If you're using NuGet.exe 6.0.2 or lower, you should download and install 6.0.3 from https://dist.nuget.org/win-x86-commandline/v6.0.3/nuget.exe . - If you're using NuGet.exe 5.11.2 or lower, you should download and install 5.11.3 from https://dist.nuget.org/win-x86-commandline/v5.11.3/nuget.exe . - If you're using NuGet.exe 5.9.2 or lower, you should download and install 5.9.3 from https://dist.nuget.org/win-x86-commandline/v5.9.3/nuget.exe . - If you're using NuGet.exe 5.7.2 or lower, you should download and install 5.7.3 from https://dist.nuget.org/win-x86-commandline/v5.7.3/nuget.exe . - If you're using NuGet.exe 4.9.5 or lower, you should download and install 4.9.6 from https://dist.nuget.org/win-x86-commandline/v4.9.6/nuget.exe . - If you're using .NET Core 6.0, you should download and install Runtime 6.0.10 or SDK 6.0.110 (for Visual Studio 2022 v17.0) or SDK 6.0.402 (for Visual Studio 2022 v17.3) from https://dotnet.microsoft.com/download/dotnet-core/6.0. - If you're using .NET Core 3.1, you should download and install Runtime 3.1.30 or SDK 3.1.424 (for Visual Studio 2019 v16.9 or Visual Studio 2019 v16.11 or Visual Studio 2022 v17.0 or Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1. .NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. ## Other details Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/65 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41032

Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com

Affected SoftwareAffected VersionHow to fix
nuget/NuGet.Protocol>=6.3.0<6.3.1
6.3.1
nuget/NuGet.Protocol>=6.1.0<6.2.2
6.2.2
nuget/NuGet.Protocol>=6.0.0<6.0.3
6.0.3
nuget/NuGet.Protocol>=5.10.0<5.11.3
5.11.3
nuget/NuGet.Protocol>=5.8.0<5.9.3
5.9.3
nuget/NuGet.Protocol>=5.0.0<5.7.3
5.7.3
nuget/NuGet.Protocol>=4.6.0<4.9.6
4.9.6
nuget/NuGet.CommandLine>=6.3.0<6.3.1
6.3.1
nuget/NuGet.CommandLine>=6.1.0<6.2.2
6.2.2
nuget/NuGet.CommandLine>=6.0.0<6.0.3
6.0.3
nuget/NuGet.CommandLine>=5.10.0<5.11.3
5.11.3
nuget/NuGet.CommandLine>=5.8.0<5.9.3
5.9.3
nuget/NuGet.CommandLine>=5.0.0<5.7.3
5.7.3
nuget/NuGet.CommandLine>=4.6.0<4.9.6
4.9.6
nuget/NuGet.Commands>=6.3.0<6.3.1
6.3.1
nuget/NuGet.Commands>=6.1.0<6.2.2
6.2.2
nuget/NuGet.Commands>=6.0.0<6.0.3
6.0.3
nuget/NuGet.Commands>=5.10.0<5.11.3
5.11.3
nuget/NuGet.Commands>=5.8.0<5.9.3
5.9.3
nuget/NuGet.Commands>=5.0.0<5.7.3
5.7.3
nuget/NuGet.Commands>=4.6.0<4.9.6
4.9.6
Microsoft .NET=6.0.0
Microsoft .NET Core=3.1
Microsoft Visual Studio 2019>=16.0.0<16.9.26
Microsoft Visual Studio 2019>=16.10.0<16.11.20
Microsoft Visual Studio 2022>=17.0.0<17.0.15
Microsoft Visual Studio 2022>=17.2.0<17.2.9
Microsoft Visual Studio 2022>=17.3<17.3.6
Microsoft Visual Studio 2022>=17.3<17.3.7
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Microsoft Visual Studio 2022>=17.0<17.0.15
=6.0.0
=3.1
>=16.0.0<16.9.26
>=16.10.0<16.11.20
>=17.0<17.0.15
>=17.2.0<17.2.9
>=17.3<17.3.6
>=17.3<17.3.7
=35
=36
=37

Remedy

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41032

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-41032?

    CVE-2022-41032 is a vulnerability that allows elevation of privilege in the NuGet Client.

  • Which software is affected by CVE-2022-41032?

    The following software versions are affected: Microsoft .NET 6.0.0, Microsoft .NET Core 3.1, Microsoft Visual Studio 2019 (version 16.0.0 to 16.9.25 and 16.10.0 to 16.11.19), and Microsoft Visual Studio 2022 (version 17.0.0 to 17.0.14 and 17.2.0 to 17.2.8).

  • What is the severity of CVE-2022-41032?

    The severity of CVE-2022-41032 is high, with a CVSSv3 score of 7.8.

  • How can I fix CVE-2022-41032?

    Apply the necessary patches and updates provided by the software vendors to mitigate the vulnerability.

  • Where can I find more information about CVE-2022-41032?

    You can find more information about CVE-2022-41032 at the following references: [Reference 1](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOG35Z5RL5W5RGLLYLN46CI4D2UPDSWM/), [Reference 2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDPT2MJC3HD7HYZGASOOX6MTDR4ASBL5/), [Reference 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7BMHO5ITRBZREVTEKHQRGSFRPDMALV3/).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203