Homepage
About Snyk

Arbitrary Code Execution Affecting masuit.tools.core package, versions [0,]

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.38% (74th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DOTNET-MASUITTOOLSCORE-2316875
  • published 27 Feb 2022
  • disclosed 13 Dec 2021
  • credit Keyang Yin, zpbrent(zhou, peng@shu)
Report a new vulnerability Found a mistake?

Introduced: 13 Dec 2021

CVE-2022-21167 Open this link in a new tab
CWE-94 Open this link in a new tab
First added by Snyk

How to fix?

There is no fixed version for Masuit.Tools.Core.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.

References

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical