CVE-2025-26646

Опубликовано: 14 мая 2025

Источник: redhat

CVSS3: 8

Описание

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

A flaw was found in .NET and Visual Studio. This vulnerability allows an attacker to use specially crafted input to spoof trusted content or identities, potentially misleading users or systems. This issue requires user interaction and limited privileges but can lead to unauthorized actions or escalation due to incorrect identity or content validation handling.

Отчет

This vulnerability in .NET is Important because it allows spoofing of trusted identities or content through crafted input, exploiting weaknesses in validation logic. While it requires user interaction and limited privileges, it can subvert authentication flows or integrity checks, leading to unauthorized actions. In security-sensitive contexts—like signed assembly loading, secure package feeds, or automated build systems—such spoofing can compromise trust boundaries and facilitate privilege escalation or supply chain attacks, making it more severe than a typical moderate flaw.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 9	dotnet6.0	Not affected
Red Hat Enterprise Linux 9	dotnet7.0	Not affected
Red Hat Enterprise Linux 10	dotnet8.0	Fixed	RHSA-2025:7599	14.05.2025
Red Hat Enterprise Linux 10	dotnet9.0	Fixed	RHSA-2025:7601	14.05.2025
Red Hat Enterprise Linux 8	dotnet9.0	Fixed	RHSA-2025:7571	14.05.2025
Red Hat Enterprise Linux 8	dotnet8.0	Fixed	RHSA-2025:7589	14.05.2025
Red Hat Enterprise Linux 9	dotnet8.0	Fixed	RHSA-2025:7598	14.05.2025
Red Hat Enterprise Linux 9	dotnet9.0	Fixed	RHSA-2025:7600	14.05.2025
Red Hat Enterprise Linux 9.4 Extended Update Support	dotnet8.0	Fixed	RHSA-2025:7603	14.05.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-290

https://bugzilla.redhat.com/show_bug.cgi?id=2365317dotnet: .NET and Visual Studio Spoofing Vulnerability

8 High

CVSS3

Связанные уязвимости

CVE-2025-26646

CVSS3: 8

ubuntu

около 1 месяца назад

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

CVE-2025-26646

CVSS3: 8

nvd

около 1 месяца назад

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.