GHSA-9CXH-GQPX-QC5M

Vulnerability from github – Published: 2021-10-12 17:49 – Updated: 2022-02-08 20:42
VLAI?
Summary
Credential Disclosure in System.DirectoryServices.Protocols
Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.

Patches

Any .NET application that uses System.DirectoryServices.Protocols with a vulnerable version listed below on system based on Linux.

Package name Vulnerable versions Secure versions
System.DirectoryServices.Protocols 5.0.0 5.0.1

Other Details

  • Announcement for this issue can be found at dotnet/announcements#202
  • An Issue for this can be found at https://github.com/dotnet/runtime/issues/60301
  • MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355
Severity ?
5.7 (Medium)
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "System.DirectoryServices.Protocols"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-12T17:48:55Z",
    "nvd_published_at": "2021-10-13T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.\n\n### Patches\nAny .NET application that uses `System.DirectoryServices.Protocols` with a vulnerable version listed below on system based on Linux.\n\nPackage name | Vulnerable versions | Secure versions\n------------ | ---------------- | -------------------------\nSystem.DirectoryServices.Protocols | 5.0.0  | 5.0.1\n\n### Other Details\n\n- Announcement for this issue can be found at dotnet/announcements#202\n- An Issue for this can be found at https://github.com/dotnet/runtime/issues/60301\n- MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355",
  "id": "GHSA-9cxh-gqpx-qc5m",
  "modified": "2022-02-08T20:42:44Z",
  "published": "2021-10-12T17:49:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-9cxh-gqpx-qc5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/runtime/issues/60301"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dotnet/runtime"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41355"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credential Disclosure in System.DirectoryServices.Protocols"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.