FS#69317 - [dotnet-core] [Security] denial of service (CVE-2021-1723)

Attached to Project: Community Packages
Opened by Jonas Witschel (diabonas) - Wednesday, 13 January 2021, 21:49 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 17 March 2021, 07:52 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



The packages dotnet-runtime and dotnet-sdk are vulnerable to denial of service via CVE-2021-1723.


Upgrading to the latest version 3.1.11 of dotnet-core fixes the issue.


This task depends upon

Closed by  Maxime Gauduin (Alucryd)
Wednesday, 17 March 2021, 07:52 GMT
Reason for closing:  Fixed
Additional comments about closing:  5.0.4.sdk104
Comment by Jonas Witschel (diabonas) - Tuesday, 09 February 2021, 18:27 GMT
Two more issues have been found (CVE-2021-1721 and CVE-2021-24112), one of the could lead to arbitrary code execution. Please update dotnet to version 3.1.12 (https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.12/3.1.12.md) to fix these issues.
Comment by Jonas Witschel (diabonas) - Tuesday, 09 March 2021, 18:11 GMT
And yet another one (CVE-2021-26701), please update dotnet to version 3.1.13 (https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.13/3.1.13.md).
Comment by Jonas Witschel (diabonas) - Tuesday, 16 March 2021, 11:10 GMT
CVE-2021-1723, CVE-2021-1721 and CVE-2021-24112 have been fixed by the recent update to dotnet 5.0.3.sdk103. However, the package is still vulnerable to the latest issue CVE-2021-26701. Please update to version 5.0.4 / SDK 5.0.104 to fix the issue, see https://github.com/dotnet/announcements/issues/178