Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

not found vulnerabilities at bootstrap v 3.4.1 #131

Closed
rainmakerho opened this issue May 13, 2020 · 1 comment
Closed

not found vulnerabilities at bootstrap v 3.4.1 #131

rainmakerho opened this issue May 13, 2020 · 1 comment

Comments

@rainmakerho
Copy link

Hi!

I am using following command,

devaudit nuget -f "C:\Labs\MyStore\Attacker.MyStore\packages.config"

packages.config

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Antlr" version="3.5.0.2" targetFramework="net45" />
  <package id="bootstrap" version="3.4.1" targetFramework="net45" />
  <package id="jQuery" version="3.4.1" targetFramework="net45" />
  <package id="jQuery.Validation" version="1.17.0" targetFramework="net45" />
  <package id="Microsoft.AspNet.Mvc" version="5.2.7" targetFramework="net45" />
  <package id="Microsoft.AspNet.Razor" version="3.2.7" targetFramework="net45" />
  <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebPages" version="3.2.7" targetFramework="net45" />
  <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.1" targetFramework="net45" />
  <package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.11" targetFramework="net45" />
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
  <package id="Modernizr" version="2.8.3" targetFramework="net45" />
  <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net45" />
  <package id="WebGrease" version="1.6.0" targetFramework="net45" />
</packages>

package contains bootstrap v 3.4.1
but cann't find [CVE-2018-14042] vulnerabilities.

thanks
@ken-duck
Copy link
Contributor

Oh dear. We had linked this to our internal system, but when it was looked at this ticket was not updated.

Looking at the details of CVE-2018-14042, it turns out that versions 3.4.0 and greater (in the 3.4 branch) are not vulnerable, though the description claims it is. If you look at the details here you can see that the CVE agrees.

Apologies for not updating this ticket sooner. This project has not had a full time maintainer in a little while. I peek in occasionally to try and deal with critical issues, but we are working on getting a full time maintainer back again. Fingers crossed we will get there soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rainmakerho @ken-duck