cvelistv5 - cve-2019-0976

CVE-2019-0976 (GCVE-0-2019-0976)

Vulnerability from cvelistv5 – Published: 2019-05-16 18:24 – Updated: 2024-08-04 18:06

Summary

A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default "obj"), aka 'NuGet Package Manager Tampering Vulnerability'.

Severity ?

No CVSS data available.

CWE

Tampering

Assigner

microsoft

References

URL

Tags

	http://www.securityfocus.com/bid/108210	vdb-entryx_refsource_BID
	https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Microsoft	Nuget	Affected: 5.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:06:29.971Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "108210",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108210"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nuget",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Tampering",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-20T20:25:03",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "108210",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108210"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2019-0976",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Nuget",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Microsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Tampering"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "108210",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108210"
            },
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976",
              "refsource": "MISC",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2019-0976",
    "datePublished": "2019-05-16T18:24:57",
    "dateReserved": "2018-11-26T00:00:00",
    "dateUpdated": "2024-08-04T18:06:29.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:nuget:5.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30E221B-2DFE-4969-A99C-FABFE1C3BDF5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"387021A0-AF36-463C-A605-32EA7DAC172E\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \\\"obj\\\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027.\"}, {\"lang\": \"es\", \"value\": \"Hay una vulnerabilidad de manipulaci\\u00f3n en NuGet Package Manager para Linux y Mac que podr\\u00eda permitir que un atacante autenticado modifique el contenido de la carpeta de compilaci\\u00f3n intermedia (por defecto, \\\"obj\\\"), conocida como \\\"Vulnerabilidad de manipulaci\\u00f3n de NuGet Package Manager\\\".\"}]",
      "id": "CVE-2019-0976",
      "lastModified": "2024-11-21T04:17:36.263",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-05-16T19:29:04.850",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/108210\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108210\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "secure@microsoft.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-0976\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2019-05-16T19:29:04.850\",\"lastModified\":\"2024-11-21T04:17:36.263\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \\\"obj\\\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027.\"},{\"lang\":\"es\",\"value\":\"Hay una vulnerabilidad de manipulaci\u00f3n en NuGet Package Manager para Linux y Mac que podr\u00eda permitir que un atacante autenticado modifique el contenido de la carpeta de compilaci\u00f3n intermedia (por defecto, \\\"obj\\\"), conocida como \\\"Vulnerabilidad de manipulaci\u00f3n de NuGet Package Manager\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:nuget:5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30E221B-2DFE-4969-A99C-FABFE1C3BDF5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"387021A0-AF36-463C-A605-32EA7DAC172E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/108210\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108210\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

GHSA-3HCM-6FJC-47QQ

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2024-03-24 20:28

Summary

NuGet Package Manager Tampering Vulnerability

Details

A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default obj), aka 'NuGet Package Manager Tampering Vulnerability'.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "NuGet.Commands"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-0976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-24T20:28:51Z",
    "nvd_published_at": "2019-05-16T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default `obj`), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027.",
  "id": "GHSA-3hcm-6fjc-47qq",
  "modified": "2024-03-24T20:28:51Z",
  "published": "2022-05-24T22:28:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0976"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NuGet/Home/issues/7908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NuGet/NuGet.Client/commit/e32a2ea7096debd3e513188f6779bb1041593326"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NuGet/NuGet.Client"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227075944/http://www.securityfocus.com/bid/108210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NuGet Package Manager Tampering Vulnerability"
}

CERTFR-2019-AVI-225

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une élévation de privilèges, une exécution de code à distance, une usurpation d'identité et un contournement de la fonctionnalité de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Azure	Microsoft Azure Active Directory Connect
Microsoft	N/A	ChakraCore
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.0
Microsoft	N/A	Team Foundation Server 2018 Update 3.2
Microsoft	N/A	Microsoft Dynamics CRM 2015 (on-premises) version 7.0
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9
Microsoft	Azure	Azure DevOps Server 2019
Microsoft	N/A	Team Foundation Server 2017 Update 3.1
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.0
Microsoft	N/A	Microsoft SQL Server 2017 pour systèmes x64 (CU+GDR)
Microsoft	N/A	Microsoft SQL Server 2017 pour systèmes x64 (GDR)
Microsoft	N/A	Microsoft Visual Studio 2015 Update 3
Microsoft	N/A	Nuget 5.0.2
Microsoft	N/A	Team Foundation Server 2018 Update 1.2
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft	N/A	Skype 8.35 when installed on Android Devices
Microsoft	N/A	Team Foundation Server 2015 Update 4.2

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 mai 2019

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Azure Active Directory Connect",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "ChakraCore",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 3.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics CRM 2015 (on-premises) version 7.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure DevOps Server 2019",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2017 Update 3.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (CU+GDR)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (GDR)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2015 Update 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Nuget 5.0.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 1.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 8.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Skype 8.35 when installed on Android Devices",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2015 Update 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-0916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0916"
    },
    {
      "name": "CVE-2019-0727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0727"
    },
    {
      "name": "CVE-2019-0976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0976"
    },
    {
      "name": "CVE-2019-0872",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0872"
    },
    {
      "name": "CVE-2019-0922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0922"
    },
    {
      "name": "CVE-2019-0979",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0979"
    },
    {
      "name": "CVE-2019-0937",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0937"
    },
    {
      "name": "CVE-2019-0819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0819"
    },
    {
      "name": "CVE-2019-0911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0911"
    },
    {
      "name": "CVE-2019-0912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0912"
    },
    {
      "name": "CVE-2019-1000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1000"
    },
    {
      "name": "CVE-2019-0927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0927"
    },
    {
      "name": "CVE-2019-0971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0971"
    },
    {
      "name": "CVE-2019-0913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0913"
    },
    {
      "name": "CVE-2019-0933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0933"
    },
    {
      "name": "CVE-2019-0924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0924"
    },
    {
      "name": "CVE-2019-0914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0914"
    },
    {
      "name": "CVE-2019-0925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0925"
    },
    {
      "name": "CVE-2019-0915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0915"
    },
    {
      "name": "CVE-2019-0917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0917"
    },
    {
      "name": "CVE-2019-0932",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0932"
    },
    {
      "name": "CVE-2019-1008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1008"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-225",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-05-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es,\nune \u00e9l\u00e9vation de privil\u00e8ges, une ex\u00e9cution de code \u00e0 distance, une\nusurpation d\u0027identit\u00e9 et un contournement de la fonctionnalit\u00e9 de\ns\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 mai 2019",
      "url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
    }
  ]
}

CERTFR-2019-AVI-225

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Azure	Microsoft Azure Active Directory Connect
Microsoft	N/A	ChakraCore
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.0
Microsoft	N/A	Team Foundation Server 2018 Update 3.2
Microsoft	N/A	Microsoft Dynamics CRM 2015 (on-premises) version 7.0
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9
Microsoft	Azure	Azure DevOps Server 2019
Microsoft	N/A	Team Foundation Server 2017 Update 3.1
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.0
Microsoft	N/A	Microsoft SQL Server 2017 pour systèmes x64 (CU+GDR)
Microsoft	N/A	Microsoft SQL Server 2017 pour systèmes x64 (GDR)
Microsoft	N/A	Microsoft Visual Studio 2015 Update 3
Microsoft	N/A	Nuget 5.0.2
Microsoft	N/A	Team Foundation Server 2018 Update 1.2
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft	N/A	Skype 8.35 when installed on Android Devices
Microsoft	N/A	Team Foundation Server 2015 Update 4.2

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 mai 2019

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Azure Active Directory Connect",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "ChakraCore",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 3.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics CRM 2015 (on-premises) version 7.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure DevOps Server 2019",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2017 Update 3.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (CU+GDR)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (GDR)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2015 Update 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Nuget 5.0.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 1.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 8.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Skype 8.35 when installed on Android Devices",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2015 Update 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-0916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0916"
    },
    {
      "name": "CVE-2019-0727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0727"
    },
    {
      "name": "CVE-2019-0976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0976"
    },
    {
      "name": "CVE-2019-0872",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0872"
    },
    {
      "name": "CVE-2019-0922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0922"
    },
    {
      "name": "CVE-2019-0979",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0979"
    },
    {
      "name": "CVE-2019-0937",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0937"
    },
    {
      "name": "CVE-2019-0819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0819"
    },
    {
      "name": "CVE-2019-0911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0911"
    },
    {
      "name": "CVE-2019-0912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0912"
    },
    {
      "name": "CVE-2019-1000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1000"
    },
    {
      "name": "CVE-2019-0927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0927"
    },
    {
      "name": "CVE-2019-0971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0971"
    },
    {
      "name": "CVE-2019-0913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0913"
    },
    {
      "name": "CVE-2019-0933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0933"
    },
    {
      "name": "CVE-2019-0924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0924"
    },
    {
      "name": "CVE-2019-0914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0914"
    },
    {
      "name": "CVE-2019-0925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0925"
    },
    {
      "name": "CVE-2019-0915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0915"
    },
    {
      "name": "CVE-2019-0917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0917"
    },
    {
      "name": "CVE-2019-0932",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0932"
    },
    {
      "name": "CVE-2019-1008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1008"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-225",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-05-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es,\nune \u00e9l\u00e9vation de privil\u00e8ges, une ex\u00e9cution de code \u00e0 distance, une\nusurpation d\u0027identit\u00e9 et un contournement de la fonctionnalit\u00e9 de\ns\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 mai 2019",
      "url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
    }
  ]
}

GSD-2019-0976

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-0976

Aliases

CVE-2019-0976

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-0976",
    "description": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027.",
    "id": "GSD-2019-0976",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-0976.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-0976"
      ],
      "details": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027.",
      "id": "GSD-2019-0976",
      "modified": "2023-12-13T01:23:40.015229Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2019-0976",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Nuget",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "5.0.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Tampering"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "108210",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108210"
          },
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:microsoft:nuget:5.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2019-0976"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
            },
            {
              "name": "108210",
              "refsource": "BID",
              "tags": [
                "Broken Link"
              ],
              "url": "http://www.securityfocus.com/bid/108210"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-04-18T14:26Z",
      "publishedDate": "2019-05-16T19:29Z"
    }
  }
}

FKIE_CVE-2019-0976

Vulnerability from fkie_nvd - Published: 2019-05-16 19:29 - Updated: 2024-11-21 04:17

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
secure@microsoft.com	http://www.securityfocus.com/bid/108210	Broken Link
secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108210	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
microsoft	nuget	5.0.2
apple	macos	-
linux	linux_kernel	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:nuget:5.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30E221B-2DFE-4969-A99C-FABFE1C3BDF5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default \"obj\"), aka \u0027NuGet Package Manager Tampering Vulnerability\u0027."
    },
    {
      "lang": "es",
      "value": "Hay una vulnerabilidad de manipulaci\u00f3n en NuGet Package Manager para Linux y Mac que podr\u00eda permitir que un atacante autenticado modifique el contenido de la carpeta de compilaci\u00f3n intermedia (por defecto, \"obj\"), conocida como \"Vulnerabilidad de manipulaci\u00f3n de NuGet Package Manager\"."
    }
  ],
  "id": "CVE-2019-0976",
  "lastModified": "2024-11-21T04:17:36.263",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-05-16T19:29:04.850",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/108210"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/108210"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0976"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2019-14684

Vulnerability from cnvd - Published: 2019-05-17

Title

Microsoft NuGet Package Manager篡改安全绕过漏洞

Description

Microsoft NuGet是美国微软（Microsoft）公司的一款开源软件包管理系统。 Microsoft NuGet 5.0.2版本中的包管理器（Linux和Mac平台）存在安全漏洞。攻击者可利用该漏洞修改文件或文件夹。

Severity

中

Patch Name

Microsoft NuGet Package Manager篡改安全绕过漏洞的补丁

Patch Description

Microsoft NuGet是美国微软（Microsoft）公司的一款开源软件包管理系统。 Microsoft NuGet 5.0.2版本中的包管理器（Linux和Mac平台）存在安全漏洞。攻击者可利用该漏洞修改文件或文件夹。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2019-0976

Reference

https://web.nvd.nist.gov//vuln/detail/CVE-2019-0976

Impacted products

Name
Microsoft NuGet 5.0.2

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108210"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-0976",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0976"
    }
  },
  "description": "Microsoft NuGet\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u8f6f\u4ef6\u5305\u7ba1\u7406\u7cfb\u7edf\u3002\n\nMicrosoft NuGet 5.0.2\u7248\u672c\u4e2d\u7684\u5305\u7ba1\u7406\u5668\uff08Linux\u548cMac\u5e73\u53f0\uff09\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539\u6587\u4ef6\u6216\u6587\u4ef6\u5939\u3002",
  "discovererName": "Microsoft",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2019-0976",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-14684",
  "openTime": "2019-05-17",
  "patchDescription": "Microsoft NuGet\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u8f6f\u4ef6\u5305\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nMicrosoft NuGet 5.0.2\u7248\u672c\u4e2d\u7684\u5305\u7ba1\u7406\u5668\uff08Linux\u548cMac\u5e73\u53f0\uff09\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539\u6587\u4ef6\u6216\u6587\u4ef6\u5939\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft NuGet Package Manager\u7be1\u6539\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft NuGet 5.0.2"
  },
  "referenceLink": "https://web.nvd.nist.gov//vuln/detail/CVE-2019-0976",
  "serverity": "\u4e2d",
  "submitTime": "2019-05-16",
  "title": "Microsoft NuGet Package Manager\u7be1\u6539\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-0976 (GCVE-0-2019-0976)

GHSA-3HCM-6FJC-47QQ

CERTFR-2019-AVI-225

Solution

CERTFR-2019-AVI-225

Solution

GSD-2019-0976

FKIE_CVE-2019-0976

CNVD-2019-14684

Tags

Sightings

Nomenclature