Advisory #65
| Title | .NET Runtime unsanitized NULL in environment variables |
| CVE ID | Not assigned |
| Vendor | Microsoft |
| Affected product | .NET Runtime |
| Affected versions | All versions |
| Vulnerability type | CWE-158 (Improper Neutralization of Null Byte or NUL Character) |
| Description | DISPUTED: .NET Runtime has a vulnerability that allows malicious environment variable values to set a different environment variable by using NULL bytes. NOTE: the vendor's position is that environment variable values should only take trusted and sanitized inputs. |
| Status | No fix available |
| Recommendation | Do not pass untrusted inputs to "ProcessStartInfo.Environment". |