CVE-2023-32571

CRITICAL9.8EPSS 76.9%

Dynamic Linq vulnerable to remote code execution

Published: 6/22/2023Modified: 2/21/2024

Description

Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods including Where, Select, OrderBy is parsed.

Affected packages (1)

NuGet/System.Linq.Dynamic.Core>= 1.0.7.10, < 1.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-32571
PATCHhttps://github.com/zzzprojects/System.Linq.Dynamic.Core
WEBhttps://research.nccgroup.com/2023/06/13/dynamic-linq-injection-remote-code-execution-vulnerability-cve-2023-32571