*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.
The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.
The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.iisintegration/1.1.0/microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784.
ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability".
.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate data, aka ".NET CORE Denial Of Service Vulnerability".
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Vulnerable Library - ardalis.liststartupservices.1.1.3.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.http/1.1.0/microsoft.aspnetcore.http.1.1.0.nupkg
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-38095
### Vulnerable Library - system.formats.asn1.5.0.0.nupkgProvides classes that can read and write the ASN.1 BER, CER, and DER data formats. Commonly Used Ty...
Library home page: https://api.nuget.org/packages/system.formats.asn1.5.0.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/5.0.0/system.formats.asn1.5.0.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - microsoft.aspnetcore.routing.1.1.0.nupkg - microsoft.aspnetcore.routing.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.features.1.1.0.nupkg - netstandard.library.1.6.1.nupkg - system.security.cryptography.x509certificates.4.3.0.nupkg - system.security.cryptography.cng.5.0.0.nupkg - :x: **system.formats.asn1.5.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability Details.NET and Visual Studio Denial of Service Vulnerability
Publish Date: 2024-07-09
URL: CVE-2024-38095
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-447r-wph3-92pm
Release Date: 2024-07-09
Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1
CVE-2020-1045
### Vulnerable Library - microsoft.aspnetcore.http.1.1.0.nupkgASP.NET Core default HTTP feature implementations.
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.http.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.http/1.1.0/microsoft.aspnetcore.http.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg - :x: **microsoft.aspnetcore.http.1.1.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsA security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.
The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.
The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
Publish Date: 2020-09-11
URL: CVE-2020-1045
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-09-11
Fix Resolution: Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22
CVE-2019-0820
### Vulnerable Library - system.text.regularexpressions.4.3.0.nupkgProvides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - microsoft.aspnetcore.routing.1.1.0.nupkg - microsoft.aspnetcore.routing.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.features.1.1.0.nupkg - netstandard.library.1.6.1.nupkg - system.xml.xdocument.4.3.0.nupkg - system.xml.readerwriter.4.3.0.nupkg - :x: **system.text.regularexpressions.4.3.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsA denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
CVE-2018-0808
### Vulnerable Libraries - microsoft.aspnetcore.hosting.1.1.0.nupkg, microsoft.aspnetcore.1.1.0.nupkg, microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg### microsoft.aspnetcore.hosting.1.1.0.nupkg
ASP.NET Core hosting infrastructure and startup logic for web applications.
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.hosting.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.hosting/1.1.0/microsoft.aspnetcore.hosting.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - microsoft.aspnetcore.server.kestrel.1.1.0.nupkg - :x: **microsoft.aspnetcore.hosting.1.1.0.nupkg** (Vulnerable Library) ### microsoft.aspnetcore.1.1.0.nupkg
Microsoft.AspNetCore
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore/1.1.0/microsoft.aspnetcore.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - :x: **microsoft.aspnetcore.1.1.0.nupkg** (Vulnerable Library) ### microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg
ASP.NET Core components for working with the IIS AspNetCoreModule.
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.iisintegration/1.1.0/microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - :x: **microsoft.aspnetcore.server.iisintegration.1.1.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784.
Publish Date: 2018-03-14
URL: CVE-2018-0808
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0808
Release Date: 2018-03-14
Fix Resolution: Microsoft.AspNetCore.Server.IISIntegration - 2.1.0, Microsoft.AspNetCore.Hosting - 2.1.0
CVE-2017-8700
### Vulnerable Library - microsoft.aspnetcore.1.1.0.nupkgMicrosoft.AspNetCore
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore/1.1.0/microsoft.aspnetcore.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - :x: **microsoft.aspnetcore.1.1.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability".
Publish Date: 2017-11-14
URL: CVE-2017-8700
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700
Release Date: 2017-11-14
Fix Resolution: Microsoft.AspNetCore - 1.2; Microsoft.AspNetCore.Mvc.Core - 1.0.6, 1.1.6; Microsoft.AspNetCore.Mvc.Cors - 1.0.6, 1.1.6
CVE-2017-11770
### Vulnerable Library - microsoft.aspnetcore.1.1.0.nupkgMicrosoft.AspNetCore
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.1.1.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore/1.1.0/microsoft.aspnetcore.1.1.0.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - :x: **microsoft.aspnetcore.1.1.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability Details.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate data, aka ".NET CORE Denial Of Service Vulnerability".
Publish Date: 2017-11-14
URL: CVE-2017-11770
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11770
Release Date: 2017-11-15
Fix Resolution: 1.0.8;1.1.5;2.0.3
CVE-2018-8292
### Vulnerable Library - system.net.http.4.3.2.nupkgProvides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.2.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.2/system.net.http.4.3.2.nupkg
Dependency Hierarchy: - ardalis.liststartupservices.1.1.3.nupkg (Root Library) - microsoft.aspnetcore.1.1.0.nupkg - microsoft.aspnetcore.routing.1.1.0.nupkg - microsoft.aspnetcore.routing.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.abstractions.1.1.0.nupkg - microsoft.aspnetcore.http.features.1.1.0.nupkg - netstandard.library.1.6.1.nupkg - :x: **system.net.http.4.3.2.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsAn information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1