Path to dependency file: /tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node
URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This
can result in remote code execution or other potential unauthorized access.
Path to dependency file: /src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.
## Affected software
* Any .NET 6.0 application running on .NET 6.0.7 or earlier.
* Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.
## Patches
* If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
* If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
Path to dependency file: /tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-43383
### Vulnerable Library - lucene.net.replicator.4.8.0-beta00016.nupkgReplicator that allows replication of files between a server and client(s) for the Lucene.NET full-t...
Library home page: https://api.nuget.org/packages/lucene.net.replicator.4.8.0-beta00016.nupkg
Path to dependency file: /src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg
Dependency Hierarchy: - Umbraco.Cms.ManagementApi-10.0.0 (Root Library) - umbraco.cms.web.common.10.0.0.nupkg - umbraco.cms.examine.lucene.10.0.0.nupkg - examine.3.0.1.nupkg - examine.lucene.3.0.1.nupkg - :x: **lucene.net.replicator.4.8.0-beta00016.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsDeserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Publish Date: 2024-10-31
URL: CVE-2024-43383
### CVSS 3 Score Details (8.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q4/49
Release Date: 2024-10-31
Fix Resolution: Lucene.Net.Replicator - 4.8.0-beta00017
CVE-2022-34716
### Vulnerable Library - system.security.cryptography.xml.5.0.0.nupkgProvides classes to support the creation and validation of XML digital signatures. The classes in th...
Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.5.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.security.cryptography.xml/5.0.0/system.security.cryptography.xml.5.0.0.nupkg
Dependency Hierarchy: - Umbraco.Cms.ManagementApi-10.0.0 (Root Library) - umbraco.cms.web.common.10.0.0.nupkg - umbraco.cms.examine.lucene.10.0.0.nupkg - examine.3.0.1.nupkg - microsoft.aspnetcore.dataprotection.5.0.5.nupkg - :x: **system.security.cryptography.xml.5.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information. ## Affected software * Any .NET 6.0 application running on .NET 6.0.7 or earlier. * Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier. ## Patches * If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
Publish Date: 2022-08-09
URL: CVE-2022-34716
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2m65-m22p-9wjw
Release Date: 2022-08-09
Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1