Описание
NuGet Package Manager Tampering Vulnerability
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure. An attacker who successfully exploited this vulnerability could potentially modify files and folders that are unpackaged on a system.
To exploit this vulnerability, an attacker would need to log on to the affected system and tamper with the folder contents of a package prior to building or installation of an application.
The security update addresses the vulnerability by correcting permissions on folders inside the NuGet packages folder structure.
Обходное решение
This issue can be worked around if you change the directory permissions of all NuGet package extraction locations on your computer. These locations generally will include a global package folder (defaults to ~/.nuget/packages, but overridable by nuget.config settings). If any of your projects use packages.config for NuGet, each of the containing solutions will also have a solution packages folder.
To change directory permissions so only the current user can access the default location of the global packages folder:
chmod -R go-wx ~/.nuget/packages
FAQ
Is there any additional information I need to apply the updates?
Yes. To apply the updates, follow step A1 or A2, and then step B.
A1. Delete all NuGet package extraction folders, including all global packages folder(s) and solution packages folger(s).
A2. Apply the workaround described in the Workaround section on the existing folders and any files in the package extraction folders.
B. Install and use the updates.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Visual Studio 2017 for Mac | ||
| Nuget 4.3.1 | ||
| Nuget 4.4.2 | ||
| Nuget 4.5.2 | ||
| Nuget 4.6.3 | ||
| Nuget 4.7.2 | ||
| Nuget 4.8.2 | ||
| Nuget 4.9.4 | ||
| Mono Framework Version 5.18.0.223 | ||
| Mono Framework Version 5.20.0 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.
A tampering vulnerability exists in the NuGet Package Manager for Linu ...
A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.
EPSS