5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-34485

CVE-2021-34485: .NET Core Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1 and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

An information disclosure vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 when dumps created by the tool to collect crash dumps and dumps on demand are created with global read permissions on Linux and macOS.

Patches

If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/196
An Issue for this can be found at https://github.com/dotnet/runtime/issues/57174
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34485

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-34485

CVE-2021-34485:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.NETCore.App	nuget	>= 2.1.0, < 2.1.29	2.1.29
Microsoft.NETCore.App.Runtime.linux-arm	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-musl-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-musl-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.osx-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.rhel.6-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-arm	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-x86	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-x86	nuget	>= 5.0.0, < 5.0.9	5.0.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper file permission settings during crash dump creation. In Unix-like systems, the open()/creat() system calls' mode parameter determines file accessibility. The advisory explicitly states dumps were created with global read permissions, implying the runtime used modes like 0644 instead of restrictive 0600. The CreateDump logic in .NET Core's diagnostic component (located in debug/createdump modules) would be responsible for these file operations. While exact commit diffs aren't available, the vulnerability pattern matches insecure file permission handling in dump generation code paths, which was addressed in the patched versions by tightening permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-34485: .NET Core Information Disclosure Vulnerability

Patches

Other Details

CVE-2021-34485:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-34485: .NET Core Information Disclosure Vulnerability

Patches

Other Details

Basic Information

Basic Information

5.5

5.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI