CVE-2022-30184
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
Potential leak of NuGet.org API key
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2022:5046
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2022:5061
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2022:5050
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| NuGet | NuGet.Commands | >=3.5.0,<4.9.5 | 4.9.5 |
| NuGet | NuGet.CommandLine | >=3.5.0,<4.9.5 | 4.9.5 |
| NuGet | NuGet.CommandLine.XPlat | >=3.5.0,<4.9.5 | 4.9.5 |
| NuGet | NuGet.Commands | >=5.0.0,<5.2.1 | 5.2.1 |
| NuGet | NuGet.Commands | >=5.3.0,<5.7.2 | 5.7.2 |
| NuGet | NuGet.Commands | >=5.8.0,<5.9.2 | 5.9.2 |
| NuGet | NuGet.Commands | >=5.10.0,<5.11.2 | 5.11.2 |
| NuGet | NuGet.Commands | >=6.0.0,<6.0.2 | 6.0.2 |
| NuGet | NuGet.Commands | >=6.1.0,<6.2.1 | 6.2.1 |
| NuGet | NuGet.CommandLine | >=5.0.0,<5.2.1 | 5.2.1 |
| NuGet | NuGet.CommandLine | >=5.3.0,<5.7.2 | 5.7.2 |
| NuGet | NuGet.CommandLine | >=5.8.0,<5.9.2 | 5.9.2 |
| NuGet | NuGet.CommandLine | >=5.10.0,<5.11.2 | 5.11.2 |
| NuGet | NuGet.CommandLine | >=6.0.0,<6.0.2 | 6.0.2 |
| NuGet | NuGet.CommandLine | >=6.1.0,<6.2.1 | 6.2.1 |
| NuGet | NuGet.CommandLine.XPlat | >=5.0.0,<5.2.1 | 5.2.1 |
| NuGet | NuGet.CommandLine.XPlat | >=5.3.0,<5.7.2 | 5.7.2 |
| NuGet | NuGet.CommandLine.XPlat | >=5.8.0,<5.9.2 | 5.9.2 |
| NuGet | NuGet.CommandLine.XPlat | >=5.10.0,<5.11.2 | 5.11.2 |
| NuGet | NuGet.CommandLine.XPlat | >=6.0.0,<6.0.2 | 6.0.2 |
| NuGet | NuGet.CommandLine.XPlat | >=6.1.0,<6.2.1 | 6.2.1 |
References
- https://access.redhat.com/errata/RHSA-2022:5050
- https://errata.rockylinux.org/RLSA-2022:5061
- https://errata.rockylinux.org/RLSA-2022:5046
- https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-3885-8gqc-3wpf
- https://nvd.nist.gov/vuln/detail/CVE-2022-30184
- https://github.com/NuGet/Home/issues/11883#issuecomment-1156194755
- https://github.com/NuGet/NuGet.Client/commit/ec6e62a645ec6b53a8784bf4571cac7786fd700b#diff-9e678e6dcc29381eb7c564f0e75ffc3ffc35458eca412c35b6404340b698d074R58-R65
- https://github.com/NuGet/NuGet.Client
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMP34G53EA2DBTBLFOAQCDZRRENE2EA2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNH4AC3LFVX35MDRX5OBZDGD2AMH66K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMP34G53EA2DBTBLFOAQCDZRRENE2EA2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWNH4AC3LFVX35MDRX5OBZDGD2AMH66K
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30184
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30184
Verify integrity in audit chain (admin only). AS-IS.