Advisory #65
Title | .NET Runtime unsanitized NULL in environment variables |
CVE ID | Not assigned |
Vendor | Microsoft |
Affected product | .NET Runtime |
Affected versions | All versions |
Vulnerability type | CWE-158 (Improper Neutralization of Null Byte or NUL Character) |
Description | DISPUTED: .NET Runtime has a vulnerability that allows malicious environment variable values to set a different environment variable by using NULL bytes. NOTE: the vendor's position is that environment variable values should only take trusted and sanitized inputs. |
Status | No fix available |
Recommendation | Do not pass untrusted inputs to "ProcessStartInfo.Environment". |