CVE-2019-0757

A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:1259	Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757	Patch Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:1259	Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:microsoft:visual_studio_2017:-:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:microsoft:nuget:4.3.1:::::::*
	cpe:2.3:a:microsoft:nuget:4.4.2:::::::*
	cpe:2.3:a:microsoft:nuget:4.5.2:::::::*
	cpe:2.3:a:microsoft:nuget:4.6.3:::::::*
	cpe:2.3:a:microsoft:nuget:4.7.2:::::::*
	cpe:2.3:a:microsoft:nuget:4.8.2:::::::*
	cpe:2.3:a:microsoft:nuget:4.9.4:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:mono-project:mono_framework:5.18.0.223:::::::*
	cpe:2.3:a:mono-project:mono_framework:5.20.0:::::::*

Configuration 4 (hide)

AND

cpe:2.3:a:microsoft:.net_core_sdk:1.1:*:*:*:*:*:*:*

OR	cpe:2.3:a:microsoft:.net_core:1.0:::::::*
	cpe:2.3:a:microsoft:.net_core:1.1:::::::*

Configuration 5 (hide)

AND

cpe:2.3:a:microsoft:.net_core_sdk:2.1.500:*:*:*:*:*:*:*

cpe:2.3:a:microsoft:.net_core:2.1:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:a:microsoft:.net_core_sdk:2.2.100:*:*:*:*:*:*:*

cpe:2.3:a:microsoft:.net_core:2.2:*:*:*:*:*:*:*

Configuration 7 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*

History

21 Nov 2024, 04:17

Type	Values Removed	Values Added
References	~~() https://access.redhat.com/errata/RHSA-2019:1259 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2019:1259 - Third Party Advisory
References	~~() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757 - Patch, Vendor Advisory~~	() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757 - Patch, Vendor Advisory

11 Apr 2022, 20:36

Type	Values Removed	Values Added
References	~~(REDHAT) https://access.redhat.com/errata/RHSA-2019:1259 -~~	(REDHAT) https://access.redhat.com/errata/RHSA-2019:1259 - Third Party Advisory
CPE		cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*

08 Sep 2021, 17:21

Type	Values Removed	Values Added
CPE	cpe:2.3:o:apple:mac_os:-:::::::*	cpe:2.3:o:apple:macos:-:::::::*

Information

Published : 2019-04-09 02:29

Updated : 2024-11-21 04:17

NVD link : CVE-2019-0757

Mitre link : CVE-2019-0757

CVE.ORG link : CVE-2019-0757

JSON object : View

Products Affected

apple

macos

redhat

enterprise_linux
enterprise_linux_server_aus
enterprise_linux_server_tus
enterprise_linux_eus

microsoft

.net_core
.net_core_sdk
nuget
visual_studio_2017

mono-project

mono_framework

CWE

NVD-CWE-noinfo

{"id": "CVE-2019-0757", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-04-09T02:29:00.600", "references": [{"url": "https://access.redhat.com/errata/RHSA-2019:1259", "tags": ["Third Party Advisory"], "source": "secure@microsoft.com"}, {"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757", "tags": ["Patch", "Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1259", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'."}, {"lang": "es", "value": "Existe una vulnerabilidad de manipulaci\u00f3n en NuGet Package Manager para Linux y Mac que podr\u00eda permitir que un atacante autenticado modifique la estructura de carpetas de un paquete de NuGet, tambi\u00e9n conocida como 'NuGet Package Manager Tampering Vulnerability'."}], "lastModified": "2024-11-21T04:17:13.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2017:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDA983E6-A2DA-48BB-9874-14CF4B3AAE15"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:nuget:4.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BBC3EE0-4087-41B2-A68E-547BC2E555B0"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A682279C-B149-4B8C-A77B-358734FEED04"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D679328-6D42-47AA-9442-39EDD7934AC8"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CEF9AC2-976B-4984-ACE7-7F1FFDC5DE4E"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "687F6CDF-90C8-4452-8EF4-2B7B2583D399"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCA80AC0-B4F7-4318-B1DF-CC12C878B458"}, {"criteria": "cpe:2.3:a:microsoft:nuget:4.9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C821DB95-80BF-4B94-8194-AAA286457FA3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mono-project:mono_framework:5.18.0.223:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A9C97DF-AF6E-4D4D-9A65-F4DA1E8B4F91"}, {"criteria": "cpe:2.3:a:mono-project:mono_framework:5.20.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A56F0C3E-21CF-4887-B931-505E9F9BAE54"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F38B0049-4EF6-4EFB-AC6A-71B8A9FA6544"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:1.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9EDF760A-C775-457E-8091-586E56545B07"}, {"criteria": "cpe:2.3:a:microsoft:.net_core:1.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2F87DCF0-0552-4815-8148-C9894397C5EF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:2.1.500:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BACCC0F-721B-4039-985D-EFAD2044996E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:2.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3BF7E3F6-D3AE-404D-8F0E-0C57BF23006C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core_sdk:2.2.100:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8A3CDDB-8FF1-4CB0-BD4E-5BF78792D9CC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_core:2.2:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A5AB75F9-B0FC-46B5-A863-0458696773DB"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "831F0F47-3565-4763-B16F-C87B1FF2035E"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E3F09B5-569F-4C58-9FCA-3C0953D107B5"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC10D919-57FD-4725-B8D2-39ECB476902F"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-0757

6.5^/10

4.0^/10

Attach tags to `CVE-2019-0757`