CVE-2022-41089: .NET Remote Code Execution Vulnerability
(updated )
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1, .NET 6.0., and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A remote code execution vulnerability exists in .NET Core 3.1, .NET 6.0, and .NET 7.0, where a malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files.
References
- github.com/advisories/GHSA-2c7v-qcjp-4mg2
- github.com/dotnet/announcements/issues/242
- github.com/dotnet/wpf
- github.com/dotnet/wpf/commit/5f4c0f7763a06b024c8a517616e0fc0194e997a4
- github.com/dotnet/wpf/commit/7b0be4d41c33ce8525d8160bf8869cac10f8a8cd
- github.com/dotnet/wpf/commit/c08825a9889e6c798fe95ed5ec1f6a9f517ab5a0
- github.com/dotnet/wpf/security/advisories/GHSA-2c7v-qcjp-4mg2
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41089
- nvd.nist.gov/vuln/detail/CVE-2022-41089
Detect and mitigate CVE-2022-41089 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →