Subject: [ASA-202105-20] dotnet-sdk: privilege escalation Arch Linux Security Advisory ASA-202105-20 ========================================== Severity: Medium Date : 2021-05-25 CVE-ID : CVE-2021-31204 Package : dotnet-sdk Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1944 Summary ======= The package dotnet-sdk before version 5.0.6.sdk203-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 5.0.6.sdk203-1. # pacman -Syu "dotnet-sdk>=5.0.6.sdk203-1" The problem has been fixed upstream in version 5.0.6.sdk203. Workaround ========== None. Description =========== An elevation of privilege vulnerability exists in .NET 5.0 and .NET Core 3.1 when a user runs a single file application on operating systems based on Linux or macOS. The issue is fixed in .NET 5.0, Runtime 5.0.6 and SDK 5.0.203, as well as .NET Core 3.1, Runtime 3.1.15 and SDK 3.1.115. Impact ====== An attacker could elevate privileges from a crafted single file application. References ========== https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31204 https://github.com/dotnet/announcements/issues/185 https://security.archlinux.org/CVE-2021-31204