microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg: 4 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg version)	Remediation Possible**
CVE-2024-0057	Critical	9.8	nuget.packaging.5.11.0.nupkg	Transitive	N/A*	❌
CVE-2022-41032	High	7.8	nuget.protocol.5.11.0.nupkg	Transitive	N/A*	❌
CVE-2023-29337	High	7.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-34716	Medium	5.9	system.security.cryptography.xml.4.7.0.nupkg	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-0057

Vulnerable Library - nuget.packaging.5.11.0.nupkg

NuGet's understanding of packages. Reading nuspec, nupkgs and package signing.

Library home page: https://api.nuget.org/packages/nuget.packaging.5.11.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.packaging/5.11.0/nuget.packaging.5.11.0.nupkg

Dependency Hierarchy:

• microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg (Root Library)
  • microsoft.visualstudio.web.codegenerators.mvc.6.0.0.nupkg
    • microsoft.visualstudio.web.codegeneration.6.0.0.nupkg
      • microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.0.nupkg
        • microsoft.visualstudio.web.codegeneration.core.6.0.0.nupkg
          • microsoft.visualstudio.web.codegeneration.templating.6.0.0.nupkg
            • microsoft.visualstudio.web.codegeneration.utils.6.0.0.nupkg
              • microsoft.dotnet.scaffolding.shared.6.0.0.nupkg
                • nuget.projectmodel.5.11.0.nupkg
                  • nuget.dependencyresolver.core.5.11.0.nupkg
                  • nuget.protocol.5.11.0.nupkg
                  • ❌ nuget.packaging.5.11.0.nupkg (Vulnerable Library)

Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5

Found in base branch: dev

Vulnerability Details

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-0057

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-68w7-72jg-6qpp

Release Date: 2024-01-09

Fix Resolution: NuGet.CommandLine - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1, NuGet.Packaging - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1

Step up your Open Source Security Game with Mend here

CVE-2022-41032

Vulnerable Library - nuget.protocol.5.11.0.nupkg

NuGet's implementation for interacting with feeds. Contains functionality for all feed types.

Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Dependency Hierarchy:

• microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg (Root Library)
  • microsoft.visualstudio.web.codegenerators.mvc.6.0.0.nupkg
    • microsoft.visualstudio.web.codegeneration.6.0.0.nupkg
      • microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.0.nupkg
        • microsoft.visualstudio.web.codegeneration.core.6.0.0.nupkg
          • microsoft.visualstudio.web.codegeneration.templating.6.0.0.nupkg
            • microsoft.visualstudio.web.codegeneration.utils.6.0.0.nupkg
              • microsoft.dotnet.scaffolding.shared.6.0.0.nupkg
                • nuget.projectmodel.5.11.0.nupkg
                  • nuget.dependencyresolver.core.5.11.0.nupkg
                  • ❌ nuget.protocol.5.11.0.nupkg (Vulnerable Library)

Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5

Found in base branch: dev

Vulnerability Details

NuGet Client Elevation of Privilege Vulnerability.

Publish Date: 2022-10-11

URL: CVE-2022-41032

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-11

Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1

Step up your Open Source Security Game with Mend here

CVE-2023-29337

Vulnerable Libraries - nuget.protocol.5.11.0.nupkg, nuget.common.5.11.0.nupkg

nuget.protocol.5.11.0.nupkg

NuGet's implementation for interacting with feeds. Contains functionality for all feed types.

Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Dependency Hierarchy:

• microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg (Root Library)
  • microsoft.visualstudio.web.codegenerators.mvc.6.0.0.nupkg
    • microsoft.visualstudio.web.codegeneration.6.0.0.nupkg
      • microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.0.nupkg
        • microsoft.visualstudio.web.codegeneration.core.6.0.0.nupkg
          • microsoft.visualstudio.web.codegeneration.templating.6.0.0.nupkg
            • microsoft.visualstudio.web.codegeneration.utils.6.0.0.nupkg
              • microsoft.dotnet.scaffolding.shared.6.0.0.nupkg
                • nuget.projectmodel.5.11.0.nupkg
                  • nuget.dependencyresolver.core.5.11.0.nupkg
                  • ❌ nuget.protocol.5.11.0.nupkg (Vulnerable Library)

nuget.common.5.11.0.nupkg

Common utilities and interfaces for all NuGet libraries.

Library home page: https://api.nuget.org/packages/nuget.common.5.11.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg

Dependency Hierarchy:

• microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg (Root Library)
  • microsoft.visualstudio.web.codegenerators.mvc.6.0.0.nupkg
    • microsoft.visualstudio.web.codegeneration.6.0.0.nupkg
      • microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.0.nupkg
        • microsoft.visualstudio.web.codegeneration.core.6.0.0.nupkg
          • microsoft.visualstudio.web.codegeneration.templating.6.0.0.nupkg
            • microsoft.visualstudio.web.codegeneration.utils.6.0.0.nupkg
              • microsoft.dotnet.scaffolding.shared.6.0.0.nupkg
                • nuget.projectmodel.5.11.0.nupkg
                  • nuget.dependencyresolver.core.5.11.0.nupkg
                  • nuget.librarymodel.5.11.0.nupkg
                  • ❌ nuget.common.5.11.0.nupkg (Vulnerable Library)

Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5

Found in base branch: dev

Vulnerability Details

NuGet Client Remote Code Execution Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29337

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6qmf-mmc7-6c2p

Release Date: 2023-06-14

Fix Resolution: NuGet.CommandLine - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Commands - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Common - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.PackageManagement - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Protocol - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1

Step up your Open Source Security Game with Mend here

CVE-2022-34716

Vulnerable Library - system.security.cryptography.xml.4.7.0.nupkg

Provides classes to support the creation and validation of XML digital signatures. The classes in th...

Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.4.7.0.nupkg

Path to dependency file: /src/Web/WebhookClient/WebhookClient.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/4.7.0/system.security.cryptography.xml.4.7.0.nupkg

Dependency Hierarchy:

• microsoft.visualstudio.web.codegeneration.design.6.0.0.nupkg (Root Library)
  • microsoft.visualstudio.web.codegenerators.mvc.6.0.0.nupkg
    • microsoft.visualstudio.web.codegeneration.6.0.0.nupkg
      • microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.0.nupkg
        • microsoft.visualstudio.web.codegeneration.core.6.0.0.nupkg
          • microsoft.visualstudio.web.codegeneration.templating.6.0.0.nupkg
            • microsoft.visualstudio.web.codegeneration.utils.6.0.0.nupkg
              • microsoft.dotnet.scaffolding.shared.6.0.0.nupkg
                • microsoft.build.tasks.core.16.9.0.nupkg
                  • ❌ system.security.cryptography.xml.4.7.0.nupkg (Vulnerable Library)

Found in HEAD commit: 58162be7965e66c71394dab67f66ed3d7cfaaef5

Found in base branch: dev

Vulnerability Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.

Affected software

• Any .NET 6.0 application running on .NET 6.0.7 or earlier.
• Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.

Patches

• If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
• If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

Publish Date: 2022-08-09

URL: CVE-2022-34716

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2m65-m22p-9wjw

Release Date: 2022-08-09

Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1

Step up your Open Source Security Game with Mend here