CVE-2010-4254

critical

Description

Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is used, does not properly validate arguments to generic methods, which allows remote attackers to bypass generic constraints, and possibly execute arbitrary code, via a crafted method call.

References

https://github.com/mono/mono/commit/cf1ec146f7c6acdc6697032b3aaafc68ffacdcac

https://github.com/mono/mono/commit/65292a69c837b8a5f7a392d34db63de592153358

https://github.com/mono/mono/commit/4905ef1130feb26c3150b28b97e4a96752e0d399

https://bugzilla.novell.com/show_bug.cgi?id=655847

https://bugzilla.novell.com/show_bug.cgi?id=654136

http://www.vupen.com/english/advisories/2011/0076

http://www.securityfocus.com/bid/45051

http://www.mono-project.com/Vulnerabilities#Moonlight_Generic_Constraints_Bypass_Vulnerability

http://www.exploit-db.com/exploits/15974

http://secunia.com/advisories/42877

http://secunia.com/advisories/42373

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html

Details

Source: Mitre, NVD

Published: 2010-12-06

Updated: 2011-02-02

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical