Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-26646

Опубликовано: 14 мая 2025
Источник: redhat
CVSS3: 8

Описание

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

A flaw was found in .NET and Visual Studio. This vulnerability allows an attacker to use specially crafted input to spoof trusted content or identities, potentially misleading users or systems. This issue requires user interaction and limited privileges but can lead to unauthorized actions or escalation due to incorrect identity or content validation handling.

Отчет

This vulnerability in .NET is Important because it allows spoofing of trusted identities or content through crafted input, exploiting weaknesses in validation logic. While it requires user interaction and limited privileges, it can subvert authentication flows or integrity checks, leading to unauthorized actions. In security-sensitive contexts—like signed assembly loading, secure package feeds, or automated build systems—such spoofing can compromise trust boundaries and facilitate privilege escalation or supply chain attacks, making it more severe than a typical moderate flaw.

.NET 6.0 for RHEL-8, RHEL-9 and RHIVOS has reached its End of Life as of November 12, 2024, and is no longer supported. No fixes will be provided for this stream. For additional information about lifecycle for .NET on Red Hat Enterprise Linux, please refer to: https://access.redhat.com/support/policy/updates/net-core.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 9dotnet6.0Out of support scope
Red Hat Enterprise Linux 9dotnet7.0Out of support scope
Red Hat Enterprise Linux 10dotnet8.0FixedRHSA-2025:759914.05.2025
Red Hat Enterprise Linux 10dotnet9.0FixedRHSA-2025:760114.05.2025
Red Hat Enterprise Linux 8dotnet9.0FixedRHSA-2025:757114.05.2025
Red Hat Enterprise Linux 8dotnet8.0FixedRHSA-2025:758914.05.2025
Red Hat Enterprise Linux 9dotnet8.0FixedRHSA-2025:759814.05.2025
Red Hat Enterprise Linux 9dotnet9.0FixedRHSA-2025:760014.05.2025
Red Hat Enterprise Linux 9.4 Extended Update Supportdotnet8.0FixedRHSA-2025:760314.05.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-290
https://bugzilla.redhat.com/show_bug.cgi?id=2365317dotnet: .NET and Visual Studio Spoofing Vulnerability

8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-26646

CVSS3: 8
ubuntu
11 месяцев назад

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

nvd логотип

CVE-2025-26646

CVSS3: 8
nvd
11 месяцев назад

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

msrc логотип

CVE-2025-26646

CVSS3: 8
msrc
11 месяцев назад

.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability

rocky логотип

RLSA-2025:7601

rocky
6 месяцев назад

Important: .NET 9.0 security update

rocky логотип

RLSA-2025:7600

rocky
6 месяцев назад

Important: .NET 9.0 security update

8 High

CVSS3