Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Moq is using Castle.Core which has an old version of System.Net.Http which is vulnerable to "DoS", "Spoofing", "Privilege Escalation", "Authentication Bypass" and "Information Exposure"

Closed
sydseter opened this issue Nov 29, 2021 · 2 comments · Fixed by #1257

Comments

@sydseter
Copy link

sydseter commented Nov 29, 2021

The following vulnerable libraries were found: System.Net.Http@4.3.0 and System.Text.RegularExpressions@4.3.0

All issues for System.Net.Http@4.3.0 have been fixed in 4.3.4.
All issues for System.Text.RegularExpressions@4.3.0 have been fixed in 4.3.1

These are the vulnerabilities associated vulnerable paths:

✗ Denial of Service (DoS) [High Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045 in System.Net.Http@4.3.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Improper Certificate Validation [High Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046 in System.Net.Http@4.3.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Privilege Escalation [High Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047 in System.Net.Http@4.3.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Authentication Bypass [Medium Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048 in System.Net.Http@4.3.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Information Exposure [High Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439 in System.Net.Http@4.3.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
This issue was fixed in versions: 2.0.20710, 4.0.1-beta-23225, 4.1.4, 4.3.4
✗ Regular Expression Denial of Service (ReDoS) [High Severity]https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708 in System.Text.RegularExpressions@4.3
.0
introduced by:
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Text.RegularExpressions@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Text.RegularExpressions@4.3.0
Moq@4.16.1 > Castle.Core@4.4.0 > NETStandard.Library@1.6.1 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
xunit@2.4.1 > xunit.assert@2.4.1 > NETStandard.Library@1.6.1 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
This issue was fixed in versions: 4.3.1

@sydseter sydseter changed the title Moq is using an old version of System.Net.Http which is vulnerable to "DoS", "Spoofing", "Privilege Escalation", "Authentication Bypass" and "Information Exposure" Moq is using Castle.Core which has an old version of System.Net.Http which is vulnerable to "DoS", "Spoofing", "Privilege Escalation", "Authentication Bypass" and "Information Exposure" Nov 29, 2021
@stakx
Copy link
Member

stakx commented Nov 29, 2021

We cannot really do anything about that until Castle.Core updates their dependencies. Once there is an updated Castle.Core release, Moq will follow suit very soon thereafter.

@IanKemp
Copy link

IanKemp commented Mar 23, 2022

@stakx suggest closing this then, unless you intend to keep it as a reminder to bump the Castle.Core version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants