high
7.1
CWE
362 367
Advisory Published
CVE Published
CVE Published
Advisory Published
Updated

CVE-2023-29337: NuGet Client Remote Code Execution Vulnerability

First published: Fri Jun 09 2023(Updated: )

### Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected. ### Affected software This issue only affects Linux systems. #### NuGet & NuGet Packages - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.4.1 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.3.2 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.2.3 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.0.4 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 5.11.4 #### .NET SDK(s) - Any .NET SDK 7.0.106 or earlier, or 7.0.303 or earlier - Any .NET SDK 6.0.117 or earlier, or 6.0.312 or earlier, or 6.0.409 or earlier. ### Patches To fix the issue, please install the latest version of .NET 6.0 or .NET 7.0 and NuGet (NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, NuGet.PackageManagement versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. - If you're using NuGet.exe 6.6.0 or lower, you should download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe. - If you're using NuGet.exe 6.5.0 or lower, you should download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe. - If you're using NuGet.exe 6.4.1 or lower, you should download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe. - If you're using NuGet.exe 6.3.2 or lower, you should download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe. - If you're using NuGet.exe 6.2.3 or lower, you should download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe. - If you're using NuGet.exe 6.0.4 or lower, you should download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe. - If you're using NuGet.exe 5.11.4 or lower, you should download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe. - If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0. - If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0. - If you're using .NET 6.0, you should download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0. ### Other details Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/69 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337

Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com

Affected SoftwareAffected VersionHow to fix
redhat/rh-dotnet60-dotnet<0:6.0.118-1.el7_9
0:6.0.118-1.el7_9
redhat/dotnet6.0<0:6.0.118-1.el8_8
0:6.0.118-1.el8_8
redhat/dotnet7.0<0:7.0.107-1.el8_8
0:7.0.107-1.el8_8
redhat/dotnet6.0<0:6.0.120-1.el8_6
0:6.0.120-1.el8_6
redhat/dotnet6.0<0:6.0.118-1.el9_2
0:6.0.118-1.el9_2
redhat/dotnet7.0<0:7.0.107-1.el9_2
0:7.0.107-1.el9_2
redhat/dotnet6.0<0:6.0.120-1.el9_0
0:6.0.120-1.el9_0
Microsoft Nuget=6.0.4
Microsoft Nuget=6.2.3
Microsoft Nuget=6.3.2
Microsoft Nuget=6.4.1
Microsoft Nuget=6.5.0
Microsoft Nuget=6.6.0
Microsoft NuGet 6.3.2
fix available externally
Microsoft NuGet 6.4.1
fix available externally
Microsoft NuGet 5.11.4
fix available externally
Microsoft NuGet 6.2.3
fix available externally
Microsoft NuGet 6.6.0
fix available externally
Microsoft NuGet 6.0.4
fix available externally
nuget/NuGet.Protocol>=4.7.0<5.11.5
5.11.5
nuget/NuGet.Common>=4.6.0<5.11.5
5.11.5
nuget/NuGet.CommandLine>=4.6.0<5.11.5
5.11.5
nuget/NuGet.Commands>=4.6.0<5.11.5
5.11.5
nuget/NuGet.PackageManagement>=4.6.0<5.11.5
5.11.5
nuget/NuGet.Protocol>=6.0.0<6.0.5
6.0.5
nuget/NuGet.Common>=6.0.0<6.0.5
6.0.5
nuget/NuGet.Protocol=6.6.0
6.6.1
nuget/NuGet.Protocol=6.5.0
6.5.1
nuget/NuGet.Protocol>=6.4.0<6.4.2
6.4.2
nuget/NuGet.Protocol>=6.3.0<6.3.3
6.3.3
nuget/NuGet.Protocol>=6.2.0<6.2.4
6.2.4
nuget/NuGet.Common=6.6.0
6.6.1
nuget/NuGet.Common=6.5.0
6.5.1
nuget/NuGet.Common>=6.4.0<6.4.2
6.4.2
nuget/NuGet.Common>=6.3.0<6.3.3
6.3.3
nuget/NuGet.Common>=6.2.0<6.2.4
6.2.4
nuget/NuGet.CommandLine=6.6.0
6.6.1
nuget/NuGet.CommandLine>=6.0.0<6.0.5
6.0.5
nuget/NuGet.Commands>=6.0.0<6.0.5
6.0.5
nuget/NuGet.PackageManagement>=6.0.0<6.0.5
6.0.5
nuget/NuGet.CommandLine=6.5.0
6.5.1
nuget/NuGet.CommandLine>=6.4.0<6.4.2
6.4.2
nuget/NuGet.CommandLine>=6.3.0<6.3.3
6.3.3
nuget/NuGet.CommandLine>=6.2.0<6.2.4
6.2.4
nuget/NuGet.Commands=6.6.0
6.6.1
nuget/NuGet.Commands=6.5.0
6.5.1
nuget/NuGet.Commands>=6.4.0<6.4.2
6.4.2
nuget/NuGet.Commands>=6.3.0<6.3.3
6.3.3
nuget/NuGet.Commands>=6.2.0<6.2.4
6.2.4
nuget/Microsoft.Build.NuGetSdkResolver=5.11.0-rc.10
nuget/Microsoft.Build.NuGetSdkResolver=5.10.0-rc.7240
nuget/NuGet.PackageManagement=6.6.0
6.6.1
nuget/NuGet.PackageManagement=6.5.0
6.5.1
nuget/NuGet.PackageManagement>=6.4.0<6.4.2
6.4.2
nuget/NuGet.PackageManagement>=6.3.0<6.3.3
6.3.3
nuget/NuGet.PackageManagement>=6.2.0<6.2.4
6.2.4
nuget/Microsoft.Build.NuGetSdkResolver=5.9.0-rc.7122
=6.0.4
=6.2.3
=6.3.2
=6.4.1
=6.5.0
=6.6.0

Remedy

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2023-29337?

    CVE-2023-29337 is a vulnerability in NuGet that can lead to remote code execution due to a potential race condition and symlink attack.

  • Which software versions are affected by CVE-2023-29337?

    Versions 6.5.0, 6.2.3, 6.6.0, 5.11.4, 6.0.4, and 6.4.1 of Microsoft NuGet are affected by CVE-2023-29337.

  • What is the severity of CVE-2023-29337?

    CVE-2023-29337 has a severity rating of 7.1, which is considered high.

  • How can I fix CVE-2023-29337?

    To fix CVE-2023-29337, you should download and apply the patches provided by Microsoft. You can find the patches and further instructions at the following URLs: [NuGet 6.5.0](https://www.nuget.org/downloads), [NuGet 6.2.3](https://www.nuget.org/downloads), [NuGet 6.6.0](https://www.nuget.org/downloads), [NuGet 5.11.4](https://www.nuget.org/downloads), [NuGet 6.0.4](https://www.nuget.org/downloads), [NuGet 6.4.1](https://www.nuget.org/downloads).

  • Where can I find more information about CVE-2023-29337?

    You can find more information about CVE-2023-29337 at the following references: [Bugzilla: 2214906](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214906), [Bugzilla: 2214908](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214908), [Bugzilla: 2214907](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214907).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203