Описание
Credential Disclosure in System.DirectoryServices.Protocols
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.
Patches
Any .NET application that uses System.DirectoryServices.Protocols with a vulnerable version listed below on system based on Linux.
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| System.DirectoryServices.Protocols | 5.0.0 | 5.0.1 |
Other Details
- Announcement for this issue can be found at dotnet/announcements#202
- An Issue for this can be found at https://github.com/dotnet/runtime/issues/60301
- MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355
Ссылки
- https://github.com/dotnet/runtime/security/advisories/GHSA-9cxh-gqpx-qc5m
- https://nvd.nist.gov/vuln/detail/CVE-2021-41355
- https://github.com/dotnet/runtime/issues/60301
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41355
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41355
- https://www.oracle.com/security-alerts/cpujan2022.html
Пакеты
System.DirectoryServices.Protocols
< 5.0.1
5.0.1
Связанные уязвимости
.NET Core and Visual Studio Information Disclosure Vulnerability
.NET Core and Visual Studio Information Disclosure Vulnerability
.NET Core and Visual Studio Information Disclosure Vulnerability
ELSA-2021-3819: .NET 5.0 security and bugfix update (IMPORTANT)