Description
JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/
Third Party Advisory x_refsource_misc
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
Scores
CVSS v3
7.8
EPSS
0.0000
EPSS Percentile
0.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
jetbrains/dotpeek
< 2018.2
jetbrains/resharper_ultimate
< 2018.1.4
Published
Aug 13, 2018
Tracked Since
Feb 18, 2026