Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12aDM4LWdoeDYtdm12Z83X8Q
Code Injection in Masuit.Tools.Core
All versions of package Masuit.Tools.Core are vulnerable to Arbitrary Code Execution via the ReceiveVarData function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.
Permalink: https://github.com/advisories/GHSA-vh38-ghx6-vmvgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDM4LWdoeDYtdm12Z83X8Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-vh38-ghx6-vmvg, CVE-2022-21167
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-21167
- https://github.com/ldqk/Masuit.Tools/blob/327f42b9f20f25bb66188672199c8265fc968d91/Masuit.Tools.Abstractions/Net/SocketClient.cs%23L197
- https://snyk.io/vuln/SNYK-DOTNET-MASUITTOOLSCORE-2316875
- https://github.com/advisories/GHSA-vh38-ghx6-vmvg
Blast Radius: 1.0
Affected Packages
nuget:Masuit.Tools.Core
Dependent packages: 0Dependent repositories: 0
Downloads: 710,680 total
Affected Version Ranges: <= 2.4.8.6
No known fixed version
All affected versions: