Reporting vulnerabilities

Please report security vulnerabilities using our contact form.

Known vulnerabilities

Some versions of Mono had security vulnerabilities found after their public release. This page contains a list of the known vulnerabilities, starting with the most recent one.

Mono System.Web Header Injection Attack

CVE: CVE-2008-3906 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906)

Version affected

• Mono 1.x

Version fixed:

• Mono 2.0

Mono ASP.NET Cross-Site Scripting

CVE: CVE-2008-3422 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422)

Version affected

• Mono 1.x

Version fixed:

• Mono 2.0

BigInteger unsafe code overflow

CVE: CVE-2007-5197 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5197)

Version affected

• Mono 1.x

Version fixed:

• Mono 1.2.5.1

Notes:

• beware unsafe code

XSP source code disclosure [Windows]

CVE: CVE-2007-5473 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5473)

Version affected

• Mono 1.x running on Windows operating systems

Fixed in

• Mono 1.2.5.2

Notes:

• Mono's System.Web.dll assembly didn't consider, before version 1.2.5.2, some Win32-specific behavior affecting filenames ending with spaces or dots. Win32 operating systems ignores the trailing characters, even if the file-system supports them, and can access the similarly named files without reporting any error. This caused XSP to return ASP.NET source code, instead of rendered content, when executed with Mono under Windows

XSP/mod_mono source code disclosure

CVE: CVE-2006-6104 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6104)

Version affected

• Mono 1.1.13.x (and later 1.1.x versions)
• Mono 1.2.x

Fixed in

• Mono 1.2.2
• Mono 1.1.13.8.2

Notes

• The problem is exhibited in XSP and, in certain cases mod_mono (when configured with SetHandler) but the fix is in the Mono class libraries. To avoid any compatibility issues you should update both Mono and XSP/mod_mono to the same version.

Workaround

• Use Apache/Mod_mono configured with AddHander.

Local privilege escalation via System.Xml.Serialization

CVE: CVE-2006-5072 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5072)

Version affected

• Mono 1.1.17 (and prior releases)

Fixed in

• Mono 1.1.17.2
• Mono 1.1.13.8.1

Workaround

• Code generation for serialization can be turned off using export MONO_XMLSERIALIZER_THS=no prior to executing Mono applications

XSP/mod_mono directory traversal

CVE: CVE-2006-2658 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2658)

Versions affected

• mod_mono 1.1.14 (and prior releases)

Fixed in

• XSP 1.1.15
• XSP 1.1.13.7, 1.1.7.13
• XSP 1.0.9.1, 1.0.6.1

Notes

• Yes the affected/fixed products are confusing. The bug was in XSP but only exposed when using mod_mono. You should update both packages to avoid compatibility issues.

Mono ASP.NET Unicode Conversion Cross-Site Scripting

CVE: CVE-2005-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0509)

Versions affected

• Mono 1.0.5 (and prior 1.0.x releases)
• Mono 1.1.3 (and prior 1.1.x releases)

Fixed in

• Mono 1.0.6
• Mono 1.1.4

Notes

• This vulnerability wasn't fixed in MS ASP.NET implementation and could potentially lead into a small interoperability problem.