Miggo Logo
Miggo Vulnerability Database
CVE-2021-46703

CVE-2021-46703: Code injection in RazorEngine

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-46703
GHSA ID
GHSA-ph3v-2hq5-5qfq
EPSS Score
0.79253%
CWE
-
Published
3/7/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
RazorEnginenuget<= 4.5.1-alpha001

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors: 1) The IsolatedRazorEngineService's reliance on deprecated CAS mechanisms for sandboxing, which Microsoft explicitly states should not be considered secure. 2) The RazorDynamicObject.Create method's ability to compile and execute arbitrary expressions through dynamic object manipulation. The provided PoC in GitHub issue #585 demonstrates how combining these features allows writing files to disk via malicious templates. While the exact file paths are inferred from standard RazorEngine structure, the functional relationships are clearly established through the vulnerability description and test case.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** Isol*t**R*zor*n*in* *ompon*nt o* *nt*ris R*zor*n*in* t*rou** *.*.*-*lp*****, *n *tt**k*r **n *x**ut* *r*itr*ry .N*T *o** in * s*n**ox** *nvironm*nt (i* us*rs **n *xt*rn*lly *ontrol t*mpl*t* *ont*nts). NOT*: T*is vuln*r**ility only *****ts pro*

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *) T** `Isol*t**R*zor*n*in*S*rvi**`'s r*li*n** on **pr***t** **S m****nisms *or s*n**oxin*, w*i** Mi*roso*t *xpli*itly st*t*s s*oul* not ** *onsi**r** s**ur*. *) T** `R*zor*yn*mi*O*j**t.*r**t*` m*t*o*'s *
RazorEngine Isolated RCE Flaw | Miggo