CVE-2025-21171

Publication date 15 January 2025

Last updated 16 January 2025

Ubuntu priority

Cvss 3 Severity Score

.NET Remote Code Execution Vulnerability: Buffer overrun in Convert.TryToHexString. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dotnet6	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet7	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Ignored see notes
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet8	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet9	24.10 oracular	Fixed 9.0.102-9.0.1-0ubuntu1~24.10.1
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

iconstantin

.NET 7 is end of life upstream.

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-7210-1
.NET vulnerabilities
16 January 2025