{
  "threat_severity" : "Important",
  "public_date" : "2025-01-14T18:04:02Z",
  "bugzilla" : {
    "description" : "dotnet: .NET Elevation of Privilege Vulnerability",
    "id" : "2337893",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2337893"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-379",
  "details" : [ ".NET Elevation of Privilege Vulnerability", "An elevation of privilege vulnerability was found in .NET. This flaw allows an attacker to write a specially crafted file in the security context of the local system." ],
  "statement" : "This vulnerability is rated with an Important severity because it allows an attacker to gain elevated privileges in the local system context. By exploiting this, an attacker can bypass standard user permissions, manipulate critical system files, execute arbitrary code, or install malicious software, potentially compromising the entire system.\n```\n.NET 6.0 for RHEL-8, RHEL-9 and RHIVOS has reached its End of Life as of November 12, 2024, and is no longer supported. No fixes will be provided for this stream. For additional information about lifecycle for .NET on Red Hat Enterprise Linux, please refer to: https://access.redhat.com/support/policy/updates/net-core.\n```",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-01-16T00:00:00Z",
    "advisory" : "RHSA-2025:0381",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.112-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-01-16T00:00:00Z",
    "advisory" : "RHSA-2025:0382",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.102-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-01-14T00:00:00Z",
    "advisory" : "RHBA-2025:0304",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.112-1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-01-14T00:00:00Z",
    "advisory" : "RHBA-2025:0305",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.102-1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-01-21T00:00:00Z",
    "advisory" : "RHSA-2025:0532",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "dotnet8.0-0:8.0.112-1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "dotnet9.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21173\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21173\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21173" ],
  "name" : "CVE-2025-21173",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}