CVE-2020-0646

CVE Published	2020-01-14
Related CWE(s)	CWE-91: XML Injection (aka Blind XPath Injection)
Related Vendor(s)	microsoft
Related Product(s)	.net_framework
Exploitation Reported (CISA KEV)	2021-11-03
CVSS 3 Base Score	9.8 (CRITICAL)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

XPath Injection (CAPEC-83)

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.

XML Injection (CAPEC-250)

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

References

CVE.org

View more information about CVE-2020-0646 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2020-0646 on the NIST NVD.

CISA Known Exploited Vulnerabilities