Skip to content

Potential leak of NuGet.org API key

High
JonDouglas published GHSA-3885-8gqc-3wpf Jun 14, 2022

Package

nuget NuGet.CommandLine (NuGet)

Affected versions

>=3.5.0, <=6.2.0

Patched versions

4.9.5, 5.2.1, 5.7.2, 5.9.2, 5.11.2, 6.0.2, 6.2.1
nuget NuGet.CommandLine.XPlat (NuGet)
>=3.5.0, <=6.2.0
4.9.5, 5.2.1, 5.7.2, 5.9.2, 5.11.2, 6.0.2, 6.2.1
nuget NuGet.Commands (NuGet)
>=3.5.0, <=6.2.0
4.9.5, 5.2.1, 5.7.2, 5.9.2, 5.11.2, 6.0.2, 6.2.1

Description

Description

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET Core 3.1, NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0) where a nuget.org api key could leak due to an incorrect comparison with a server url.

Affected software

NuGet & NuGet Packages

  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 6.2.0 version or earlier.
  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 6.0.1 version or earlier.
  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.11.1 version or earlier.
  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.9.1 version or earlier.
  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.7.1 version or earlier.
  • Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 4.9.4 version or earlier.

.NET SDK(s)

  • Any .NET 6.0 application running on .NET 6.0.5 or earlier.
  • Any .NET 3.1 application running on .NET Core 3.1.25 or earlier.

Patches

.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at NuGet/Announcements#62

MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30184

Severity

High

CVE ID

CVE-2022-30184

Weaknesses