CVE-2018-8416
Description
A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET Core 2.1 tampering vulnerability in System.IO.Compression.ZipFile allows arbitrary file and directory creation via crafted ZIP files.
Vulnerability
A tampering vulnerability exists in .NET Core 2.1 when System.IO.Compression.ZipFile improperly handles specially crafted ZIP files [3]. This affects .NET Core applications using the Microsoft.NETCore.App package versions 2.1.0 through 2.1.6 [3]. The vulnerable component is the ZIP extraction functionality.
Exploitation
An attacker must send a specially crafted ZIP file to a vulnerable application that extracts it using System.IO.Compression.ZipFile [3]. The attacker requires no special privileges beyond the ability to deliver the file (e.g., via upload, email, or network share). The exploitation does not require user interaction beyond the extraction process [2][3].
Impact
Successful exploitation allows an attacker to write arbitrary files and directories to certain locations on the system, though the destination is limited [3]. This could lead to tampering of application or system files, potentially enabling further compromise such as privilege escalation or code execution [2][3].
Mitigation
The vulnerability is fixed in .NET Core 2.1.7 [3]. Users should update the Microsoft.NETCore.App package to version 2.1.7 or later [3]. If the application does not extract ZIP files, it is unaffected [3]. For Red Hat Enterprise Linux, the fix is included in rh-dotnet21-dotnet-2.1.500-5.el7 [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NETCore.AppNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Affected products
2- Microsoft/.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- access.redhat.com/errata/RHSA-2018:3676ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-5633-f33j-c6f7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8416ghsaADVISORY
- www.securityfocus.com/bid/105798mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1042128mitrevdb-entryx_refsource_SECTRACK
- github.com/dotnet/announcements/issues/95ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8416ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.