{
  "threat_severity" : "Important",
  "public_date" : "2023-07-11T00:00:00Z",
  "bugzilla" : {
    "description" : "dotnet: elevation of privilege and code execution by taking control of the diagnostic port",
    "id" : "2221853",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2221853"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "details" : [ ".NET and Visual Studio Elevation of Privilege Vulnerability", "A vulnerability was found in dotNET applications where the Windows dotNET runtime exposes an IPC diagnostic endpoint named pipe for collecting diagnostic information and debugging. A remote attacker can exploit DCOM applications that expose a diagnostic port to achieve cross-session/cross-user elevation of privilege (EoP) and code execution by taking control of the diagnostic port." ],
  "statement" : "This issue on affects dotNET on windows. Red Hat offerings are not affected by this CVE-2023-33127.",
  "package_state" : [ {
    "product_name" : ".NET 6.0 on Red Hat Enterprise Linux",
    "fix_state" : "Not affected",
    "package_name" : "rh-dotnet60-dotnet",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:6.0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-33127\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-33127\nhttps://devblogs.microsoft.com/dotnet/july-2023-updates/\nhttps://github.com/dotnet/announcements/issues/263\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33127" ],
  "name" : "CVE-2023-33127",
  "csaw" : false
}