microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg: 4 vulnerabilities (highest severity is: 9.8) #22
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - nuget.packaging.5.11.0.nupkg
NuGet's understanding of packages. Reading nuspec, nupkgs and package signing.
Library home page: https://api.nuget.org/packages/nuget.packaging.5.11.0.nupkg
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.packaging/5.11.0/nuget.packaging.5.11.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5
Found in base branch: dev
Vulnerability Details
NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-0057
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-68w7-72jg-6qpp
Release Date: 2024-01-09
Fix Resolution: NuGet.CommandLine - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1, NuGet.Packaging - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - nuget.protocol.5.11.0.nupkg
NuGet's implementation for interacting with feeds. Contains functionality for all feed types.
Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5
Found in base branch: dev
Vulnerability Details
NuGet Client Elevation of Privilege Vulnerability.
Publish Date: 2022-10-11
URL: CVE-2022-41032
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-11
Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - nuget.protocol.5.11.0.nupkg, nuget.common.5.11.0.nupkg
nuget.protocol.5.11.0.nupkg
NuGet's implementation for interacting with feeds. Contains functionality for all feed types.
Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Dependency Hierarchy:
nuget.common.5.11.0.nupkg
Common utilities and interfaces for all NuGet libraries.
Library home page: https://api.nuget.org/packages/nuget.common.5.11.0.nupkg
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5
Found in base branch: dev
Vulnerability Details
NuGet Client Remote Code Execution Vulnerability
Publish Date: 2023-06-14
URL: CVE-2023-29337
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6qmf-mmc7-6c2p
Release Date: 2023-06-14
Fix Resolution: NuGet.CommandLine - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Commands - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Common - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.PackageManagement - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Protocol - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.security.cryptography.xml.4.7.0.nupkg
Provides classes to support the creation and validation of XML digital signatures. The classes in th...
Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.4.7.0.nupkg
Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/4.7.0/system.security.cryptography.xml.4.7.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5
Found in base branch: dev
Vulnerability Details
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.
Affected software
Patches
Publish Date: 2022-08-09
URL: CVE-2022-34716
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-2m65-m22p-9wjw
Release Date: 2022-08-09
Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: