{"containers": {"cna": {"affected": [{"product": "Microsoft Visual Studio", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "2017 for Mac"}]}, {"product": ".NET Core SDK", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "1.1 on .NET Core 1.0"}, {"status": "affected", "version": "2.1.500 on .NET Core 2.1"}, {"status": "affected", "version": "2.2.100 on .NET Core 2.2"}, {"status": "affected", "version": "1.1 on .NET Core 1.1"}]}, {"product": "Nuget", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "4.3.1"}, {"status": "affected", "version": "4.4.2"}, {"status": "affected", "version": "4.5.2"}, {"status": "affected", "version": "4.6.3"}, {"status": "affected", "version": "4.7.2"}, {"status": "affected", "version": "4.8.2"}, {"status": "affected", "version": "4.9.4"}]}, {"product": "Mono Framework", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "5.18.0.223"}, {"status": "affected", "version": "5.20.0"}]}], "datePublic": "2019-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'."}], "problemTypes": [{"descriptions": [{"description": "Tampering", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-22T12:06:04", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"}, {"name": "RHSA-2019:1259", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1259"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2019-0757", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Microsoft Visual Studio", "version": {"version_data": [{"version_value": "2017 for Mac"}]}}, {"product_name": ".NET Core SDK", "version": {"version_data": [{"version_value": "1.1 on .NET Core 1.0"}, {"version_value": "2.1.500 on .NET Core 2.1"}, {"version_value": "2.2.100 on .NET Core 2.2"}, {"version_value": "1.1 on .NET Core 1.1"}]}}, {"product_name": "Nuget", "version": {"version_data": [{"version_value": "4.3.1"}, {"version_value": "4.4.2"}, {"version_value": "4.5.2"}, {"version_value": "4.6.3"}, {"version_value": "4.7.2"}, {"version_value": "4.8.2"}, {"version_value": "4.9.4"}]}}, {"product_name": "Mono Framework", "version": {"version_data": [{"version_value": "5.18.0.223"}, {"version_value": "5.20.0"}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Tampering"}]}]}, "references": {"reference_data": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757", "refsource": "CONFIRM", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"}, {"name": "RHSA-2019:1259", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1259"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:58:59.044Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"}, {"name": "RHSA-2019:1259", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1259"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2019-0757", "datePublished": "2019-04-09T01:51:25", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2024-08-04T17:58:59.044Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2017:-:*:*:*:*:*:*:*", "matchCriteriaId": "CDA983E6-A2DA-48BB-9874-14CF4B3AAE15", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:nuget:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3BBC3EE0-4087-41B2-A68E-547BC2E555B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "A682279C-B149-4B8C-A77B-358734FEED04", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "1D679328-6D42-47AA-9442-39EDD7934AC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "1CEF9AC2-976B-4984-ACE7-7F1FFDC5DE4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "687F6CDF-90C8-4452-8EF4-2B7B2583D399", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "CCA80AC0-B4F7-4318-B1DF-CC12C878B458", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "C821DB95-80BF-4B94-8194-AAA286457FA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mono-project:mono_framework:5.18.0.223:*:*:*:*:*:*:*", "matchCriteriaId": "2A9C97DF-AF6E-4D4D-9A65-F4DA1E8B4F91", "vulnerable": true}, {"criteria": "cpe:2.3:a:mono-project:mono_framework:5.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "A56F0C3E-21CF-4887-B931-505E9F9BAE54", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F38B0049-4EF6-4EFB-AC6A-71B8A9FA6544", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EDF760A-C775-457E-8091-586E56545B07", "vulnerable": false}, {"criteria": "cpe:2.3:a:microsoft:.net_core:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "2F87DCF0-0552-4815-8148-C9894397C5EF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:2.1.500:*:*:*:*:*:*:*", "matchCriteriaId": "7BACCC0F-721B-4039-985D-EFAD2044996E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "3BF7E3F6-D3AE-404D-8F0E-0C57BF23006C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:2.2.100:*:*:*:*:*:*:*", "matchCriteriaId": "D8A3CDDB-8FF1-4CB0-BD4E-5BF78792D9CC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "A5AB75F9-B0FC-46B5-A863-0458696773DB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "831F0F47-3565-4763-B16F-C87B1FF2035E", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "0E3F09B5-569F-4C58-9FCA-3C0953D107B5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "AC10D919-57FD-4725-B8D2-39ECB476902F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'."}, {"lang": "es", "value": "Existe una vulnerabilidad de manipulaci\u00f3n en NuGet Package Manager para Linux y Mac que podr\u00eda permitir que un atacante autenticado modifique la estructura de carpetas de un paquete de NuGet, tambi\u00e9n conocida como 'NuGet Package Manager Tampering Vulnerability'."}], "id": "CVE-2019-0757", "lastModified": "2024-11-21T04:17:13.843", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-09T02:29:00.600", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1259"}, {"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1259"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnet21-0:2.1-8.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnet21-dotnet-0:2.1.505-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnet22-0:2.2-4.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnet22-dotnet-0:2.2.105-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnetcore10-dotnetcore-0:1.0.15-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.0::el7", "package": "rh-dotnetcore11-dotnetcore-0:1.1.12-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnet21-0:2.1-8.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnet21-dotnet-0:2.1.505-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnet22-0:2.2-4.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnet22-dotnet-0:2.2.105-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnetcore10-dotnetcore-0:1.0.15-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:1.1::el7", "package": "rh-dotnetcore11-dotnetcore-0:1.1.12-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnet21-0:2.1-8.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnet21-dotnet-0:2.1.505-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnet22-0:2.2-4.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnet22-dotnet-0:2.2.105-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnetcore10-dotnetcore-0:1.0.15-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.1::el7", "package": "rh-dotnetcore11-dotnetcore-0:1.1.12-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnet21-0:2.1-8.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnet21-dotnet-0:2.1.505-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnet22-0:2.2-4.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnet22-dotnet-0:2.2.105-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnetcore10-dotnetcore-0:1.0.15-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:0544", "cpe": "cpe:/a:redhat:rhel_dotnet:2.2::el7", "package": "rh-dotnetcore11-dotnetcore-0:1.1.12-1.el7", "product_name": ".NET Core on Red Hat Enterprise Linux", "release_date": "2019-03-13T00:00:00Z"}, {"advisory": "RHSA-2019:1259", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet-0:2.1.507-2.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-22T00:00:00Z"}], "bugzilla": {"description": "dotnet: NuGet Tampering Vulnerability", "id": "1685475", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1685475"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-732", "details": ["A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.", "A flaw was found in dotnet. A tampering vulnerability exists in NuGet software when executed in a Linux or Mac environment. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2019-0757", "public_date": "2019-03-12T17:33:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-0757\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0757\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757"], "threat_severity": "Important", "upstream_fix": "dotnet 2.1.9, dotnet 2.2.3"}