CVE-2020-8927: Brotli Library Buffer Overflow Vulnerability

Overview

Severity: Medium (CVSS 6.5)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: More Likely
Patch Tuesday: 2022-Mar
Released: 2022-03-08
Last Updated: 2022-04-12
EPSS Score: 0.31% (percentile: 54.1%)

FAQ

Why is this Google LLC CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in the Brotli library which is consumed by .NET and by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of .NET and Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

Affected Products (10)

Developer Tools

.NET Core 3.1
.NET 5.0
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2022 version 17.0
PowerShell 7.2
PowerShell 7.1
PowerShell 7.0
Microsoft Visual Studio 2022 version 17.1

Security Updates (8)

Revision History

2022-03-08: Information published.
2022-03-08: Corrected Article links in the Security Updates table. This is an informational change only.
2022-03-16: Revised the Security Updates table to include PowerShell 7.0, PowerShell 7.1, and PowerShell 7.2 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/30 for more information.
2022-04-12: The following changes were made: 1) Added Visual Studio 2022 version 17.1 to the Security Updates table as this version of Visual Studio is affected by this vulnerability. Customers running this version of Visual Studio 2022 should install the April 2022 security updates to be protected from this vulnerability. 2) Added Fixed Build Number to affected versions of .NET.