CVE-2022-41032 (High) detected in nuget.protocol.5.11.0.nupkg #10

mend-bolt-for-github · 2022-10-14T01:13:06Z

CVE-2022-41032 - High Severity Vulnerability

Vulnerable Library - nuget.protocol.5.11.0.nupkg

NuGet's implementation for interacting with feeds. Contains functionality for all feed types.

Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg

Path to dependency file: /test/AspNetCoreModules.Tests/AspNetCoreModules.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Dependency Hierarchy:

microsoft.visualstudio.web.codegeneration.design.6.0.6.nupkg (Root Library)
- microsoft.visualstudio.web.codegenerators.mvc.6.0.6.nupkg
  - microsoft.visualstudio.web.codegeneration.6.0.6.nupkg
    - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.6.nupkg
      - microsoft.visualstudio.web.codegeneration.core.6.0.6.nupkg
        
        microsoft.visualstudio.web.codegeneration.templating.6.0.6.nupkg
        
        microsoft.visualstudio.web.codegeneration.utils.6.0.6.nupkg
        
        microsoft.dotnet.scaffolding.shared.6.0.6.nupkg
        
        nuget.projectmodel.5.11.0.nupkg
        
        nuget.dependencyresolver.core.5.11.0.nupkg
        ❌ nuget.protocol.5.11.0.nupkg (Vulnerable Library)

Found in HEAD commit: 1fc1f74dd63deb977f7e029c730500c323853cbb

Found in base branch: main

Vulnerability Details

NuGet Client Elevation of Privilege Vulnerability.

Publish Date: 2022-10-11

URL: CVE-2022-41032

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-11

Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Oct 14, 2022

github-actions bot added the Stale label Jul 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-41032 (High) detected in nuget.protocol.5.11.0.nupkg #10

CVE-2022-41032 (High) detected in nuget.protocol.5.11.0.nupkg #10

mend-bolt-for-github bot commented Oct 14, 2022 •

edited

Loading

CVE-2022-41032 (High) detected in nuget.protocol.5.11.0.nupkg #10

CVE-2022-41032 (High) detected in nuget.protocol.5.11.0.nupkg #10

Comments

mend-bolt-for-github bot commented Oct 14, 2022 • edited Loading

CVE-2022-41032 - High Severity Vulnerability

mend-bolt-for-github bot commented Oct 14, 2022 •

edited

Loading