CVE-2022-21167 — HIGH (7.5)

Vulnerability Description

All versions of package masuit.tools.core are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ldqk	Masuit.Tools	All versions

References

https://github.com/ldqk/Masuit.Tools/blob/327f42b9f20f25bb66188672199c8265fc968dBroken Link
https://snyk.io/vuln/SNYK-DOTNET-MASUITTOOLSCORE-2316875Third Party Advisory
https://github.com/ldqk/Masuit.Tools/blob/327f42b9f20f25bb66188672199c8265fc968dBroken Link
https://snyk.io/vuln/SNYK-DOTNET-MASUITTOOLSCORE-2316875Third Party Advisory

FAQ

What is CVE-2022-21167?

CVE-2022-21167 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of package masuit.tools.core are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. The socket client in the package can pass in t...

How severe is CVE-2022-21167?

CVE-2022-21167 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21167?

Check the references section above for vendor advisories and patch information. Affected products include: Ldqk Masuit.Tools.