{"vulnerabilities":[{"name":"CVE-2018-8409","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2018-09-13","lastUpdatedDate":"2018-11-19","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-8409","description":"A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka \"System.IO.Pipelines Denial of Service.\" This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1.","project":"devplan-ui-api","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"library":{"keyUuid":"8538e060-6a9c-455f-8f9e-04678ae730a5","filename":"microsoft.aspnetcore.app.2.1.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Microsoft.AspNetCore.App","sha1":"469809e66c5cf83e052e1e7368cc06b41356f88b","name":"Microsoft.AspNetCore.App","artifactId":"microsoft.aspnetcore.app.2.1.1.nupkg","version":"2.1.1","groupId":"Microsoft.AspNetCore.App","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-8409","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-8409","fixResolution":"Upgrade to version System.IO.Pipelines-4.5.1, Microsoft.AspNetCore.All-2.1.4, Microsoft.AspNetCore.App-2.1.4","date":"2018-09-13 00:29:02","message":"Upgrade to version"}},{"name":"CVE-2019-1301","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2019-09-11","lastUpdatedDate":"2019-09-12","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2019-1301","description":"A denial of service vulnerability exists when .NET Core improperly handles web requests, aka \u0027.NET Core Denial of Service Vulnerability\u0027.","project":"devplan-ui-api","product":"production","cvss3Attributes":{},"library":{"keyUuid":"8538e060-6a9c-455f-8f9e-04678ae730a5","filename":"microsoft.aspnetcore.app.2.1.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Microsoft.AspNetCore.App","sha1":"469809e66c5cf83e052e1e7368cc06b41356f88b","name":"Microsoft.AspNetCore.App","artifactId":"microsoft.aspnetcore.app.2.1.1.nupkg","version":"2.1.1","groupId":"Microsoft.AspNetCore.App","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2019-1301","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/dotnet/announcements/issues/121","fixResolution":"Upgrade to version 2.2.7;2.1.13","date":"2019-09-11 22:15:00","message":"Upgrade to version"}},{"name":"CVE-2019-1302","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"8.8","publishDate":"2019-09-11","lastUpdatedDate":"2019-09-12","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2019-1302","description":"An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests, aka \u0027ASP.NET Core Elevation Of Privilege Vulnerability\u0027.","project":"devplan-ui-api","product":"production","cvss3Attributes":{},"library":{"keyUuid":"8538e060-6a9c-455f-8f9e-04678ae730a5","filename":"microsoft.aspnetcore.app.2.1.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Microsoft.AspNetCore.App","sha1":"469809e66c5cf83e052e1e7368cc06b41356f88b","name":"Microsoft.AspNetCore.App","artifactId":"microsoft.aspnetcore.app.2.1.1.nupkg","version":"2.1.1","groupId":"Microsoft.AspNetCore.App","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2019-1302","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2019-1302","fixResolution":"Upgrade to version 2.2.7;2.1.13","date":"2019-09-11 22:15:00","message":"Upgrade to version"}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"lms-curriculum-training","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"lms-onlinecourse-service","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"lms-curriculum-transcript","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"lms-curriculum-training","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"lms-onlinecourse-service","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"lms-curriculum-transcript","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"lms-curriculum-training","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"lms-onlinecourse-service","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"lms-curriculum-transcript","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"9ab15887-6433-454b-a5bd-bdcc54e930fd","filename":"microsoft.net.compilers.2.10.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":".NET Compilers package.","sha1":"c00af55d640c0982d1f3188db491a6bd8d1e6947","name":"Microsoft.Net.Compilers","artifactId":"microsoft.net.compilers.2.10.0.nupkg","version":"2.10.0","groupId":"Microsoft.Net.Compilers","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0247","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0247","description":"A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.","project":"core-partner-user-monolith-adapter","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0247","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-04-03 13:24:40","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0248","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-05-12","lastUpdatedDate":"2019-10-03","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0248","description":"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka \".NET Security Feature Bypass Vulnerability.\"","project":"core-partner-user-monolith-adapter","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},"allFixes":[{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3","date":"2019-05-31 07:56:58","message":"Upgrade to version","extraData":""},{"vulnerability":"CVE-2017-0248","type":"UPGRADE_VERSION","origin":"SECURITY_TRACKER","url":"http://www.securitytracker.com/id/1038458","fixResolution":"The vendor has issued a fix.\n\nA restart is required.\n\nThe vendor advisory is available at:\n\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248","date":"2017-12-31 18:09:04","message":"Microsoft .NET Lets Remote Users Bypass Certificate Use Restrictions on the Target System","extraData":"key\u003d1038458"}]},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"edgeimport-insights","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-0249","type":"CVE","severity":"high","score":"7.5","cvss3_severity":"HIGH","cvss3_score":"7.3","publishDate":"2017-05-12","lastUpdatedDate":"2017-08-10","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-0249","description":"An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.","project":"core-partner-user-monolith-adapter","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"library":{"keyUuid":"befb7950-f49d-4e17-95e6-b9d29943d7b7","filename":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Replacement CodeDOM providers that use the new .NET Compiler Platform (\"Roslyn\") compiler as a servi...","sha1":"ac6749bfc2a6eb64c21810488a4e0c3184786fee","name":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","artifactId":"microsoft.codedom.providers.dotnetcompilerplatform.2.0.1.nupkg","version":"2.0.1","groupId":"Microsoft.CodeDom.Providers.DotNetCompilerPlatform","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-0249","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://github.com/aspnet/Announcements/issues/239","fixResolution":"Upgrade to version System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3","date":"2019-01-24 11:39:08","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"content-online-content-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"d69b7c9d-baf8-4d35-8d96-d9a4311c33e9","filename":"roslynsecurityguard.2.3.0.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"b9cabfd90f10b0a9cd15197a08befaabc052360f","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.3.0.nupkg","version":"2.3.0","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"vilt-provider","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"daf40ef7-c8ea-4697-b2cc-28c2c0441c1e","filename":"yamldotnet.4.2.3.nupkg","type":"NUGET_PACKAGE_MODULE","description":"A .NET library for YAML. YamlDotNet provides low level parsing and emitting of YAML as well as a hig...","sha1":"05a43a7024110583fdf6068cd0be1b11567265ad","name":"YamlDotNet","artifactId":"yamldotnet.4.2.3.nupkg","version":"4.2.3","groupId":"YamlDotNet","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"training-search","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"daf40ef7-c8ea-4697-b2cc-28c2c0441c1e","filename":"yamldotnet.4.2.3.nupkg","type":"NUGET_PACKAGE_MODULE","description":"A .NET library for YAML. YamlDotNet provides low level parsing and emitting of YAML as well as a hig...","sha1":"05a43a7024110583fdf6068cd0be1b11567265ad","name":"YamlDotNet","artifactId":"yamldotnet.4.2.3.nupkg","version":"4.2.3","groupId":"YamlDotNet","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-career-site-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"daf40ef7-c8ea-4697-b2cc-28c2c0441c1e","filename":"yamldotnet.4.2.3.nupkg","type":"NUGET_PACKAGE_MODULE","description":"A .NET library for YAML. YamlDotNet provides low level parsing and emitting of YAML as well as a hig...","sha1":"05a43a7024110583fdf6068cd0be1b11567265ad","name":"YamlDotNet","artifactId":"yamldotnet.4.2.3.nupkg","version":"4.2.3","groupId":"YamlDotNet","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-career-center-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"daf40ef7-c8ea-4697-b2cc-28c2c0441c1e","filename":"yamldotnet.4.2.3.nupkg","type":"NUGET_PACKAGE_MODULE","description":"A .NET library for YAML. YamlDotNet provides low level parsing and emitting of YAML as well as a hig...","sha1":"05a43a7024110583fdf6068cd0be1b11567265ad","name":"YamlDotNet","artifactId":"yamldotnet.4.2.3.nupkg","version":"4.2.3","groupId":"YamlDotNet","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"engage-authoring","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"core-availability-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"engage-reporting","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"training-subscription-digest-sync-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"core-qa-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"user-filter","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"apiconnector-integrations-sso","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-hiring-dashboard-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-smashfly-cache-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"apiconnector-integrations-workplace","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"chr-duplicateuserdetection-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"training-subscription-report-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"lms-versioningshowrunner","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"feedback-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"wfp-costing","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-recruiting-agency-posting-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"wfp-hcp","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"core-file-upload-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-recruiting-agency-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-smart-referral-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-requisition","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ise-respondent","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ise-rendering","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ise-authoring","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"perpetual-win","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"wfp-notification","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"wfp-headcount-rpt","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"content-course-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"lms-ec-sync-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"content-domain-sync-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"lms-domain-sync-service","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"trainingenrollment-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2018-1000210","type":"CVE","severity":"high","score":"6.8","cvss3_severity":"HIGH","cvss3_score":"7.8","publishDate":"2018-07-13","lastUpdatedDate":"2018-09-11","scoreMetadataVector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-1000210","description":"YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType \u003d Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.","project":"ats-job-requisition-template-api","product":"production","cvss3Attributes":{"attackVector":"LOCAL","attackComplexity":"LOW","userInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"library":{"keyUuid":"af189278-4e06-46a0-a447-6fdcb8e5b920","filename":"roslynsecurityguard.2.2.6178.26661.nupkg","type":"NUGET_PACKAGE_MODULE","description":"Roslyn analyzers that aim to help security audits on .NET applications.","sha1":"ecfd0bbdadb9907164b08f8400bdbb9c22822c82","name":"RoslynSecurityGuard","artifactId":"roslynsecurityguard.2.2.6178.26661.nupkg","version":"2.2.6178.26661","groupId":"RoslynSecurityGuard","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2018-1000210","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000210","fixResolution":"Upgrade to version 4.3.3","date":"2019-04-08 13:05:03","message":"Upgrade to version","extraData":""}},{"name":"CVE-2017-18214","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2018-03-04","lastUpdatedDate":"2019-03-27","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","description":"The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.","project":"search-dashboard","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"library":{"keyUuid":"761e3bec-e73b-4ef4-8438-86b655099a0c","filename":"moment-2.19.1.min.js","type":"JAVA_SCRIPT_LIBRARY","description":"Parse, validate, manipulate, and display dates","sha1":"4e6718addc8fda68e1de3113363333c6f4d707b9","name":"moment.js","artifactId":"moment-2.19.1.min.js","version":"2.19.1","groupId":"moment.js","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","fixResolution":"Upgrade to version 2.19.3","date":"2018-03-04 21:29:00","message":"Upgrade to version"},"allFixes":[{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","fixResolution":"Upgrade to version 2.19.3","date":"2018-03-04 21:29:00","message":"Upgrade to version"},{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"NODE_SECURITY_ADVISORY","url":"https://nodesecurity.io/advisories/532","fixResolution":"Update to version 2.19.3","date":"2017-11-27 17:56:00","message":"Regular Expression Denial of Service","extraData":"key\u003d532"},{"vulnerability":"CVE-2017-18214","type":"CHANGE_FILES","origin":"GITHUB_COMMIT","url":"https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb","fixResolution":"Replace or update the following files: regex.js, moment-with-locales.js, moment.js","date":"2017-11-29 00:00:00","message":"[bugfix] Fix for ReDOS vulnerability (see #4163) (#4326)\n\n* Limiting regex match to 256 chars, fixing #4163\r\n\r\n* Limiting regex match to 256 chars, fixing #4163\r\n\r\n* Also limiting numbers to fix #4163","extraData":"key\u003d69ed9d4\u0026committerName\u003dmarwahaha\u0026committerUrl\u003dhttps://github.com/marwahaha\u0026committerAvatar\u003dhttps://avatars0.githubusercontent.com/u/2541209?v\u003d4"}]},{"name":"CVE-2015-8854","type":"CVE","severity":"high","score":"7.8","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2017-01-23","lastUpdatedDate":"2017-01-24","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2015-8854","description":"The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a \"catastrophic backtracking issue for the em inline rule,\" aka a \"regular expression denial of service (ReDoS).\"","project":"edgestore-api","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"library":{"keyUuid":"91854397-c348-4d61-b614-1771a187b082","filename":"marked-0.3.2.min.js","type":"JAVA_SCRIPT_LIBRARY","description":"A markdown parser built for speed","sha1":"02d9d395ee4c19d58e919b22c62f00d2fb08601e","name":"marked","artifactId":"marked-0.3.2.min.js","version":"0.3.2","groupId":"marked","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2015-8854","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8854","fixResolution":"Upgrade to version 0.3.4","date":"2017-01-23 21:59:00","message":"Upgrade to version"},"allFixes":[{"vulnerability":"CVE-2015-8854","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8854","fixResolution":"Upgrade to version 0.3.4","date":"2017-01-23 21:59:00","message":"Upgrade to version"},{"vulnerability":"CVE-2015-8854","type":"UPGRADE_VERSION","origin":"NODE_SECURITY_ADVISORY","url":"https://nodesecurity.io/advisories/23","fixResolution":"Update to marked v0.3.4 or later.","date":"2015-01-22 17:33:48","message":"Regular Expression Denial of Service","extraData":"key\u003d23"},{"vulnerability":"CVE-2015-8854","type":"CHANGE_FILES","origin":"GITHUB_COMMIT","url":"https://github.com/chjj/marked/commit/a37bd643f05bf95ff18cafa2b06e7d741d2e2157","fixResolution":"Replace or update the following file: marked.js","date":"2015-07-29 00:00:00","message":"prevent catastrophic backtracking on `em` rule. fixes #497.","extraData":"key\u003da37bd64\u0026committerName\u003dchjj\u0026committerUrl\u003dhttps://github.com/chjj\u0026committerAvatar\u003dhttps://avatars1.githubusercontent.com/u/470564?v\u003d3"}]},{"name":"WS-2015-0020","type":"WS","severity":"high","score":"7.5","publishDate":"2015-05-20","lastUpdatedDate":"2015-05-20","url":"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523","description":"Marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it\u0027s possible to bypass marked\u0027s content injection protection (sanitize: true) to inject a javascript: URL.","project":"edgestore-api","product":"production","library":{"keyUuid":"91854397-c348-4d61-b614-1771a187b082","filename":"marked-0.3.2.min.js","type":"JAVA_SCRIPT_LIBRARY","description":"A markdown parser built for speed","sha1":"02d9d395ee4c19d58e919b22c62f00d2fb08601e","name":"marked","artifactId":"marked-0.3.2.min.js","version":"0.3.2","groupId":"marked","architecture":"","languageVersion":""},"topFix":{"vulnerability":"WS-2015-0020","type":"UPGRADE_VERSION","origin":"NODE_SECURITY_ADVISORY","url":"https://nodesecurity.io/advisories/101","fixResolution":"To mitigate the flaw you have a couple of options. There\u0027s a [pull request](https://github.com/chjj/marked/pull/592) open that fixes this issue. Another option would be to switch to another markdown library such as remarkable.","date":"2016-04-18 16:45:00","message":"Sanitization bypass using HTML Entities","extraData":"key\u003d101"}},{"name":"WS-2017-0108","type":"WS","severity":"high","score":"7.3","publishDate":"2017-01-30","lastUpdatedDate":"2017-01-30","url":"https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51","description":"Marked 0.3.6 and earlier is vulnerable to XSS attacks via Data URIs.","project":"edgestore-api","product":"production","library":{"keyUuid":"91854397-c348-4d61-b614-1771a187b082","filename":"marked-0.3.2.min.js","type":"JAVA_SCRIPT_LIBRARY","description":"A markdown parser built for speed","sha1":"02d9d395ee4c19d58e919b22c62f00d2fb08601e","name":"marked","artifactId":"marked-0.3.2.min.js","version":"0.3.2","groupId":"marked","architecture":"","languageVersion":""},"topFix":{"vulnerability":"WS-2017-0108","type":"CHANGE_FILES","origin":"GITHUB_COMMIT","url":"https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51","fixResolution":"Replace or update the following files: links.sanitize.html, marked.js, links.sanitize.text","date":"2017-01-19 00:00:00","message":"added data: link fix to prevent xss","extraData":"key\u003dcd2f6f5\u0026committerName\u003dmatt-\u0026committerUrl\u003dhttps://github.com/matt-\u0026committerAvatar\u003dhttps://avatars.githubusercontent.com/u/453602?v\u003d3"}},{"name":"CVE-2017-18214","type":"CVE","severity":"high","score":"5.0","cvss3_severity":"HIGH","cvss3_score":"7.5","publishDate":"2018-03-04","lastUpdatedDate":"2019-03-27","scoreMetadataVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","description":"The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.","project":"edgestore-api","product":"production","cvss3Attributes":{"attackVector":"NETWORK","attackComplexity":"LOW","userInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"library":{"keyUuid":"a8e232b2-3751-4425-93b8-5287639198cf","filename":"moment-2.10.6.js","type":"JAVA_SCRIPT_LIBRARY","description":"Parse, validate, manipulate, and display dates","sha1":"65395e3e55adc5e2953e03c8378faa5cd0e324de","name":"moment.js","artifactId":"moment-2.10.6.js","version":"2.10.6","groupId":"moment.js","architecture":"","languageVersion":""},"topFix":{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","fixResolution":"Upgrade to version 2.19.3","date":"2018-03-04 21:29:00","message":"Upgrade to version"},"allFixes":[{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"WHITESOURCE_EXPERT","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2017-18214","fixResolution":"Upgrade to version 2.19.3","date":"2018-03-04 21:29:00","message":"Upgrade to version"},{"vulnerability":"CVE-2017-18214","type":"UPGRADE_VERSION","origin":"NODE_SECURITY_ADVISORY","url":"https://nodesecurity.io/advisories/532","fixResolution":"Update to version 2.19.3","date":"2017-11-27 17:56:00","message":"Regular Expression Denial of Service","extraData":"key\u003d532"},{"vulnerability":"CVE-2017-18214","type":"CHANGE_FILES","origin":"GITHUB_COMMIT","url":"https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb","fixResolution":"Replace or update the following files: regex.js, moment-with-locales.js, moment.js","date":"2017-11-29 00:00:00","message":"[bugfix] Fix for ReDOS vulnerability (see #4163) (#4326)\n\n* Limiting regex match to 256 chars, fixing #4163\r\n\r\n* Limiting regex match to 256 chars, fixing #4163\r\n\r\n* Also limiting numbers to fix #4163","extraData":"key\u003d69ed9d4\u0026committerName\u003dmarwahaha\u0026committerUrl\u003dhttps://github.com/marwahaha\u0026committerAvatar\u003dhttps://avatars0.githubusercontent.com/u/2541209?v\u003d4"}]}]}