First published: Fri Jun 09 2023(Updated: )
### Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected. ### Affected software This issue only affects Linux systems. #### NuGet & NuGet Packages - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.4.1 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.3.2 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.2.3 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.0.4 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 5.11.4 #### .NET SDK(s) - Any .NET SDK 7.0.106 or earlier, or 7.0.303 or earlier - Any .NET SDK 6.0.117 or earlier, or 6.0.312 or earlier, or 6.0.409 or earlier. ### Patches To fix the issue, please install the latest version of .NET 6.0 or .NET 7.0 and NuGet (NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, NuGet.PackageManagement versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. - If you're using NuGet.exe 6.6.0 or lower, you should download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe. - If you're using NuGet.exe 6.5.0 or lower, you should download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe. - If you're using NuGet.exe 6.4.1 or lower, you should download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe. - If you're using NuGet.exe 6.3.2 or lower, you should download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe. - If you're using NuGet.exe 6.2.3 or lower, you should download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe. - If you're using NuGet.exe 6.0.4 or lower, you should download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe. - If you're using NuGet.exe 5.11.4 or lower, you should download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe. - If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0. - If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0. - If you're using .NET 6.0, you should download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0. ### Other details Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/69 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-dotnet60-dotnet | <0:6.0.118-1.el7_9 | 0:6.0.118-1.el7_9 |
redhat/dotnet6.0 | <0:6.0.118-1.el8_8 | 0:6.0.118-1.el8_8 |
redhat/dotnet7.0 | <0:7.0.107-1.el8_8 | 0:7.0.107-1.el8_8 |
redhat/dotnet6.0 | <0:6.0.120-1.el8_6 | 0:6.0.120-1.el8_6 |
redhat/dotnet6.0 | <0:6.0.118-1.el9_2 | 0:6.0.118-1.el9_2 |
redhat/dotnet7.0 | <0:7.0.107-1.el9_2 | 0:7.0.107-1.el9_2 |
redhat/dotnet6.0 | <0:6.0.120-1.el9_0 | 0:6.0.120-1.el9_0 |
Microsoft Nuget | =6.0.4 | |
Microsoft Nuget | =6.2.3 | |
Microsoft Nuget | =6.3.2 | |
Microsoft Nuget | =6.4.1 | |
Microsoft Nuget | =6.5.0 | |
Microsoft Nuget | =6.6.0 | |
Microsoft NuGet 6.3.2 | ||
Microsoft NuGet 6.4.1 | ||
Microsoft NuGet 5.11.4 | ||
Microsoft NuGet 6.2.3 | ||
Microsoft NuGet 6.6.0 | ||
Microsoft NuGet 6.0.4 | ||
nuget/NuGet.Protocol | >=4.7.0<5.11.5 | 5.11.5 |
nuget/NuGet.Common | >=4.6.0<5.11.5 | 5.11.5 |
nuget/NuGet.CommandLine | >=4.6.0<5.11.5 | 5.11.5 |
nuget/NuGet.Commands | >=4.6.0<5.11.5 | 5.11.5 |
nuget/NuGet.PackageManagement | >=4.6.0<5.11.5 | 5.11.5 |
nuget/NuGet.Protocol | >=6.0.0<6.0.5 | 6.0.5 |
nuget/NuGet.Common | >=6.0.0<6.0.5 | 6.0.5 |
nuget/NuGet.Protocol | =6.6.0 | 6.6.1 |
nuget/NuGet.Protocol | =6.5.0 | 6.5.1 |
nuget/NuGet.Protocol | >=6.4.0<6.4.2 | 6.4.2 |
nuget/NuGet.Protocol | >=6.3.0<6.3.3 | 6.3.3 |
nuget/NuGet.Protocol | >=6.2.0<6.2.4 | 6.2.4 |
nuget/NuGet.Common | =6.6.0 | 6.6.1 |
nuget/NuGet.Common | =6.5.0 | 6.5.1 |
nuget/NuGet.Common | >=6.4.0<6.4.2 | 6.4.2 |
nuget/NuGet.Common | >=6.3.0<6.3.3 | 6.3.3 |
nuget/NuGet.Common | >=6.2.0<6.2.4 | 6.2.4 |
nuget/NuGet.CommandLine | =6.6.0 | 6.6.1 |
nuget/NuGet.CommandLine | >=6.0.0<6.0.5 | 6.0.5 |
nuget/NuGet.Commands | >=6.0.0<6.0.5 | 6.0.5 |
nuget/NuGet.PackageManagement | >=6.0.0<6.0.5 | 6.0.5 |
nuget/NuGet.CommandLine | =6.5.0 | 6.5.1 |
nuget/NuGet.CommandLine | >=6.4.0<6.4.2 | 6.4.2 |
nuget/NuGet.CommandLine | >=6.3.0<6.3.3 | 6.3.3 |
nuget/NuGet.CommandLine | >=6.2.0<6.2.4 | 6.2.4 |
nuget/NuGet.Commands | =6.6.0 | 6.6.1 |
nuget/NuGet.Commands | =6.5.0 | 6.5.1 |
nuget/NuGet.Commands | >=6.4.0<6.4.2 | 6.4.2 |
nuget/NuGet.Commands | >=6.3.0<6.3.3 | 6.3.3 |
nuget/NuGet.Commands | >=6.2.0<6.2.4 | 6.2.4 |
nuget/Microsoft.Build.NuGetSdkResolver | =5.11.0-rc.10 | |
nuget/Microsoft.Build.NuGetSdkResolver | =5.10.0-rc.7240 | |
nuget/NuGet.PackageManagement | =6.6.0 | 6.6.1 |
nuget/NuGet.PackageManagement | =6.5.0 | 6.5.1 |
nuget/NuGet.PackageManagement | >=6.4.0<6.4.2 | 6.4.2 |
nuget/NuGet.PackageManagement | >=6.3.0<6.3.3 | 6.3.3 |
nuget/NuGet.PackageManagement | >=6.2.0<6.2.4 | 6.2.4 |
nuget/Microsoft.Build.NuGetSdkResolver | =5.9.0-rc.7122 | |
=6.0.4 | ||
=6.2.3 | ||
=6.3.2 | ||
=6.4.1 | ||
=6.5.0 | ||
=6.6.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-29337 is a vulnerability in NuGet that can lead to remote code execution due to a potential race condition and symlink attack.
Versions 6.5.0, 6.2.3, 6.6.0, 5.11.4, 6.0.4, and 6.4.1 of Microsoft NuGet are affected by CVE-2023-29337.
CVE-2023-29337 has a severity rating of 7.1, which is considered high.
To fix CVE-2023-29337, you should download and apply the patches provided by Microsoft. You can find the patches and further instructions at the following URLs: [NuGet 6.5.0](https://www.nuget.org/downloads), [NuGet 6.2.3](https://www.nuget.org/downloads), [NuGet 6.6.0](https://www.nuget.org/downloads), [NuGet 5.11.4](https://www.nuget.org/downloads), [NuGet 6.0.4](https://www.nuget.org/downloads), [NuGet 6.4.1](https://www.nuget.org/downloads).
You can find more information about CVE-2023-29337 at the following references: [Bugzilla: 2214906](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214906), [Bugzilla: 2214908](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214908), [Bugzilla: 2214907](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2214907).