CVE-2022-41032 : NuGet Client Elevation of Privilege Vulnerability

Products affected by CVE-2022-41032

Microsoft » .net Core » Version: 3.1
cpe:2.3:a:microsoft:.net_core:3.1:-:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2019
Versions from including (>=) 16.10.0 and before (<) 16.11.20
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2019
Versions from including (>=) 16.0.0 and before (<) 16.9.26
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
Matching versions
Microsoft » .net » Version: 6.0.0
cpe:2.3:a:microsoft:.net:6.0.0:-:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2022
Versions from including (>=) 17.2.0 and before (<) 17.2.9
cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2022
Versions from including (>=) 17.0 and before (<) 17.0.15
cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2022 »
Versions from including (>=) 17.3 and before (<) 17.3.6
cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*
Matching versions
Microsoft » Visual Studio 2022 » For Macos
Versions from including (>=) 17.3 and before (<) 17.3.7
cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:macos:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41032

EPSS FAQ

13.90%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41032

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	Microsoft Corporation
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-41032

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2022-41032

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X7BMHO5ITRBZREVTEKHQRGSFRPDMALV3/

[SECURITY] Fedora 36 Update: dotnet3.1-3.1.424-1.fc36 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOG35Z5RL5W5RGLLYLN46CI4D2UPDSWM/

[SECURITY] Fedora 37 Update: dotnet6.0-6.0.110-2.fc37 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7BMHO5ITRBZREVTEKHQRGSFRPDMALV3/

[SECURITY] Fedora 36 Update: dotnet3.1-3.1.424-1.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41032

CVE-2022-41032 - Security Update Guide - Microsoft - NuGet Client Elevation of Privilege Vulnerability
Patch;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDPT2MJC3HD7HYZGASOOX6MTDR4ASBL5/

[SECURITY] Fedora 35 Update: dotnet3.1-3.1.424-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41032

CVE-2022-41032 - Security Update Guide - Microsoft - NuGet Client Elevation of Privilege Vulnerability
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDPT2MJC3HD7HYZGASOOX6MTDR4ASBL5/

[SECURITY] Fedora 35 Update: dotnet3.1-3.1.424-1.fc35 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOG35Z5RL5W5RGLLYLN46CI4D2UPDSWM/

[SECURITY] Fedora 37 Update: dotnet6.0-6.0.110-2.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

Vulnerability Details : CVE-2022-41032

Products affected by CVE-2022-41032

Exploit prediction scoring system (EPSS) score for CVE-2022-41032

CVSS scores for CVE-2022-41032

CWE ids for CVE-2022-41032

References for CVE-2022-41032