Vulnerability Name:

CVE-2022-41032 (CCN-237317)

Assigned:2022-10-11
Published:2022-10-11
Updated:2022-12-02
Summary:NuGet Client Elevation of Privilege Vulnerability.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-524
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2022-41032

Source: XF
Type: UNKNOWN
ms-dotnet-cve202241032-priv-esc(237317)

Source: secure@microsoft.com
Type: Mailing List, Third Party Advisory
secure@microsoft.com

Source: secure@microsoft.com
Type: Mailing List, Third Party Advisory
secure@microsoft.com

Source: secure@microsoft.com
Type: Mailing List, Third Party Advisory
secure@microsoft.com

Source: CCN
Type: Microsoft Security TechCenter - October 2022
CVE-2022-41032 - NuGet Client Elevation of Privilege Vulnerability

Source: secure@microsoft.com
Type: Patch, Vendor Advisory
secure@microsoft.com

Source: CCN
Type: IBM Security Bulletin 6853463 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/a:redhat:enterprise_linux:9::crb:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:.net_core:3.1:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2019:16.9:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2019:16.11:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2022:17.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2022:17.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2022:17.3:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_2022:17.3:*:*:*:*:mac:*:*
  • AND
  • cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20228434
    P
    		RHSA-2022:8434: dotnet7.0 security, bug fix, and enhancement update (Moderate)
    2022-11-15
    oval:com.redhat.rhsa:def:20227826
    P
    		RHSA-2022:7826: dotnet7.0 security, bug fix, and enhancement update (Moderate)
    2022-11-08
    oval:com.redhat.rhsa:def:20226911
    P
    		RHSA-2022:6911: .NET 6.0 security and bugfix update (Moderate)
    2022-10-12
    oval:com.redhat.rhsa:def:20226912
    P
    		RHSA-2022:6912: .NET Core 3.1 security and bugfix update (Moderate)
    2022-10-12
    oval:com.redhat.rhsa:def:20226913
    P
    		RHSA-2022:6913: .NET 6.0 security and bugfix update (Moderate)
    2022-10-12
    BACK
    microsoft .net core 3.1
    microsoft visual studio 2019 16.9
    microsoft visual studio 2019 16.11
    microsoft visual studio 2022 17.0
    microsoft visual studio 2022 17.2
    microsoft visual studio 2022 17.3
    microsoft visual studio 2022 17.3
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm robotic process automation for cloud pak 21.0.3
    ibm robotic process automation for cloud pak 21.0.5
    ibm robotic process automation for cloud pak 21.0.4