CVE-2021-41355
published 2021-10-13CVE-2021-41355: .NET Core and Visual Studio Information Disclosure Vulnerability
PriorityP432medium5.7CVSS 3.1
AVAACLPRNUIRSUCHINAN
EPSS
20.34%
97.2th percentile
.NET Core and Visual Studio Information Disclosure Vulnerability
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_visual_studio_2019_version_16.11 | >= 16.11.0 < 16.11.5 | 16.11.5 |
| microsoft | microsoft_visual_studio_2019_version_16.9 | >= 15.0.0 < 16.9.12 | 16.9.12 |
| microsoft | net | — | — |
| microsoft | net_5.0 | >= 5.0.0 < 5.0.11 | 5.0.11 |
| microsoft | powershell | >= 7.1 < 7.1.5 | 7.1.5 |
| microsoft | powershell_7.1 | >= 7.1.0 < 7.1.5 | 7.1.5 |
| microsoft | visual_studio_2019 | 16.0 – 16.11 | — |
| msrc | microsoft_visual_studio_2019_version_16.11 | — | — |
| msrc | microsoft_visual_studio_2019_version_16.9 | — | — |
| msrc | net_5.0 | — | — |
| msrc | powershell_7.1 | — | — |
CVSS provenance
nvdv3.15.7MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.9LOWAV:A/AC:M/Au:N/C:P/I:N/A:N
ghsa5.7MEDIUM
osv5.7MEDIUM
vendor_msrc5.7MEDIUM
vendor_redhat5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dotnet: System.DirectoryServices.Protocols.LdapConnection sends credentials in plaintext if TLS handshake fails
vendor_redhat·2021-10-12·CVSS 5.7
CVE-2021-41355 [MEDIUM] CWE-319 dotnet: System.DirectoryServices.Protocols.LdapConnection sends credentials in plaintext if TLS handshake fails
dotnet: System.DirectoryServices.Protocols.LdapConnection sends credentials in plaintext if TLS handshake fails
.NET Core and Visual Studio Information Disclosure Vulnerability
A flaw was found in dotnet, where the System.DirectoryServices.Protocols.LdapConnection sends credentials in plaintext if the Transport Layer Security (TLS) handshake fails. This flaw allows an attacker to intercept sensitive information. The highest threat from this vulnerability is to confidentiality.
Package: rh-dotnet31-dotnet (.NET Core 3.1 on Red Hat Enterprise Linux) - Not affected
Package: dotnet3.1 (Red Hat Enterprise Linux 8) - Not affected
Package: dotnet3.1 (Red Hat Enterprise Linux 9) - Not affected
Microsoft
.NET Core and Visual Studio Information Disclosure Vulnerability
vendor_msrc·2021-10-12·CVSS 5.7
CVE-2021-41355 [MEDIUM] .NET Core and Visual Studio Information Disclosure Vulnerability
.NET Core and Visual Studio Information Disclosure Vulnerability
FAQ: What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.
.NET Core & Visual Studio: .NET Core & Visual Studio
Microsoft: Microsoft
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Release Notes
Reference: https://github.com/PowerShell/PowerShell#get-powershell
Reference: https://my.visualstudio.com/Downloads?q=Visual Studio 2019 version 16.9
Reference: https://my.visualstudio.com/Downloads?q=Visual Studio 2019 version 16.11
GHSA
Credential Disclosure in System.DirectoryServices.Protocols
ghsa·2021-10-12·CVSS 5.7
CVE-2021-41355 [MEDIUM] CWE-200 Credential Disclosure in System.DirectoryServices.Protocols
Credential Disclosure in System.DirectoryServices.Protocols
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.
### Patches
Any .NET application that uses `System.DirectoryServices.Protocols` with a vulnerable version listed below on system based on Linux.
Package name | Vulnerable versions | Secure versions
------------ | ---------------- | -------------------------
System.DirectoryServices.Protocols | 5.0.0 | 5.0.1
### Other Details
- Announcement for this issue
OSV
Credential Disclosure in System.DirectoryServices.Protocols
osv·2021-10-12·CVSS 5.7
CVE-2021-41355 [MEDIUM] Credential Disclosure in System.DirectoryServices.Protocols
Credential Disclosure in System.DirectoryServices.Protocols
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux.
### Patches
Any .NET application that uses `System.DirectoryServices.Protocols` with a vulnerable version listed below on system based on Linux.
Package name | Vulnerable versions | Secure versions
------------ | ---------------- | -------------------------
System.DirectoryServices.Protocols | 5.0.0 | 5.0.1
### Other Details
- Announcement for this issue
No detection rules found.
No public exploits indexed.
2021-10-13
Published