Closed akunzai closed 1 year ago
Could be a syntax error? 4.22 does not exist. 4.2.2 exists.
https://github.com/advisories/GHSA-3rq8-h3gj-r5c6
Also Github dependabot started alerting about this security issue, but without beeing able to suggest a solution. No PR suggested.
@blowdart those versions are wrong, it should say 4.2.1 and 4.2.2 respectively.
Can see that nuget-package is now fixed, but this command line still fails:
dotnet list ./src package --vulnerable --include-transitive
This is the output:
The following sources were used:
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Project `NLog.UnitTests` has the following vulnerable packages
[netcoreapp3.1]: No vulnerable packages for this framework.
[net461]:
Top-level Package Requested Resolved Severity Advisory URL
> Microsoft.Owin 4.2.2 4.2.2 High https://github.com/advisories/GHSA-3rq8-h3gj-r5c6
These are the NLog.UnitTests
package-references in use:
<PackageReference Include="Microsoft.AspNet.WebApi.OwinSelfHost" Version="5.2.9" />
<PackageReference Include="Microsoft.Owin" version="4.2.2" /> <!-- Waiting for updated OwinSelfHost -->
https://ci.appveyor.com/project/nlog/nlog/builds/44651625/job/ivj8bssv4b7permh
It's also still being flagged in VS. I've pinged the nuget team.
No longer getting warnings about Microsoft.Owin when doing validation:
dotnet list ./src package --vulnerable --include-transitive
The faulty warning has disappeared for us as well. Does anyone know what the root cause was?
This was originally caused by a typo in the versions reported in https://github.com/advisories/GHSA-3rq8-h3gj-r5c6. That typo was imported into nuget.org. When the notice was corrected there was an issue getting the state updated eveywhere in nuget. The nuget team confirmed to me Friday that they resolved the update issue.
Hi @Tratcher, The Microsoft.Owin.Security.Cookies still be flagged as vulnerable in command dotnet list package --vulnerable --include-transitive
or Visual Studio.
This is still an issue.
The API request that's made internally is: https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
And that still incorrectly contains the vulnerability listed for 4.2.2:
This is still an issue.
The API request that's made internally is: https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
@tompazourek Which tool are you using to call this API?
Looks like Microsoft.Owin was fixed but Microsoft.Owin.Security.Cookies was not.
Fixed (for reals this time 😆) in VS and https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
I can confirm, the issue disappeared. Thank you!
Hi there,
My CI/CD pipelines failed with the following information
according to https://github.com/advisories/GHSA-3rq8-h3gj-r5c6
following packages in version 4.2.2 should not be affected with CVE-2022-29117
Is the vulnerability warning on NuGet.org marked by accident?