{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35390", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-06-14T23:09:47.639Z", "datePublished": "2023-08-08T17:08:54.243Z", "dateUpdated": "2025-01-01T01:59:13.153Z"}, "containers": {"cna": {"title": ".NET and Visual Studio Remote Code Execution Vulnerability", "datePublic": "2023-08-08T07:00:00+00:00", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.2.0", "versionEndExcluding": "17.2.18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.4.0", "versionEndExcluding": "17.4.10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.6.0", "versionEndExcluding": "17.6.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.21"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.10"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.2", "platforms": ["Unknown"], "versions": [{"version": "17.2.0", "lessThan": "17.2.18", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.10", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.6", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 6.0", "platforms": ["Unknown"], "versions": [{"version": "6.0.0", "lessThan": "6.0.21", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 7.0", "platforms": ["Unknown"], "versions": [{"version": "7.0.0", "lessThan": "7.0.10", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": ".NET and Visual Studio Remote Code Execution Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-01-01T01:59:13.153Z"}, "references": [{"name": ".NET and Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-04T01:21:48.088404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:18:41.198Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.883Z"}, "title": "CVE Program Container", "references": [{"name": ".NET and Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390", "name": ".NET and Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.883Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-04T01:21:48.088404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T01:22:01.094Z"}}], "cna": {"title": ".NET and Visual Studio Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.2:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.2", "versions": [{"status": "affected", "version": "17.2.0", "lessThan": "17.2.18", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "versions": [{"status": "affected", "version": "17.4.0", "lessThan": "17.4.10", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "versions": [{"status": "affected", "version": "17.6.0", "lessThan": "17.6.6", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:6.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 6.0", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.0.21", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:.net:7.0.0:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": ".NET 7.0", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.10", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2023-08-08T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390", "name": ".NET and Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/"}], "descriptions": [{"lang": "en-US", "value": ".NET and Visual Studio Remote Code Execution Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-05-29T01:33:04.938Z"}}}, "cveMetadata": {"cveId": "CVE-2023-35390", "state": "PUBLISHED", "dateUpdated": "2024-08-02T16:23:59.883Z", "dateReserved": "2023-06-14T23:09:47.639Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2023-08-08T17:08:54.243Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA257401-7276-4427-8692-7B5A6495F182", "versionEndExcluding": "6.0.21", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2239C44-5436-4968-959B-C686E0FAECD1", "versionEndExcluding": "7.0.10", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*", "matchCriteriaId": "E3B42567-B3FF-4101-A639-C2883F567CF2", "versionEndExcluding": "17.2.18", "versionStartIncluding": "17.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*", "matchCriteriaId": "4759CA52-CEA4-40C8-B1EF-F161DCFF0E78", "versionEndExcluding": "17.4.10", "versionStartIncluding": "17.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*", "matchCriteriaId": "0659AFA0-5AFA-42FC-8733-4502228AC26C", "versionEndExcluding": "17.6.6", "versionStartIncluding": "17.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": ".NET and Visual Studio Remote Code Execution Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de .NET y Visual Studio"}], "id": "CVE-2023-35390", "lastModified": "2025-01-01T02:16:02.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2023-08-08T18:15:13.667", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4641", "cpe": "cpe:/a:redhat:rhel_dotnet:6.0::el7", "package": "rh-dotnet60-dotnet-0:6.0.121-1.el7_9", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4643", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet7.0-0:7.0.110-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4645", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet6.0-0:6.0.121-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4640", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dotnet6.0-0:6.0.121-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4642", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet7.0-0:7.0.110-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4644", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet6.0-0:6.0.121-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:4639", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "dotnet6.0-0:6.0.121-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-08-14T00:00:00Z"}], "bugzilla": {"description": "dotnet: RCE under dotnet commands", "id": "2228622", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228622"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "details": [".NET and Visual Studio Remote Code Execution Vulnerability", "A vulnerability was found in dotnet. This issue exists when some dotnet commands are used in directories with weaker permissions, which can result in remote code execution."], "name": "CVE-2023-35390", "public_date": "2023-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-35390\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35390\nhttps://devblogs.microsoft.com/dotnet/august-2023-updates/\nhttps://github.com/advisories/GHSA-p8rx-fwgq-rh2f\nhttps://github.com/dotnet/announcements/issues/266\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390"], "threat_severity": "Important", "upstream_fix": ".NET SDK 6.0.121, .NET SDK 7.0.110, .NET Runtime 6.0.21, .NET Runtime 7.0.10"}