Path to dependency file: /tests/IntegrationTests/IntegrationTests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.
## Affected software
* Any .NET 6.0 application running on .NET 6.0.7 or earlier.
* Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.
## Patches
* If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
* If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
Vulnerable Library - UnitTests-1.0.0
Path to dependency file: /tests/IntegrationTests/IntegrationTests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-0057
### Vulnerable Library - nuget.packaging.5.11.0.nupkgNuGet's understanding of packages. Reading nuspec, nupkgs and package signing.
Library home page: https://api.nuget.org/packages/nuget.packaging.5.11.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.packaging/5.11.0/nuget.packaging.5.11.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - nuget.protocol.5.11.0.nupkg - :x: **nuget.packaging.5.11.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsNET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-0057
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-68w7-72jg-6qpp
Release Date: 2024-01-09
Fix Resolution: NuGet.CommandLine - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1, NuGet.Packaging - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1
CVE-2024-0056
### Vulnerable Library - microsoft.data.sqlclient.2.1.4.nupkgProvides the data provider for SQL Server. These classes provide access to versions of SQL Server an...
Library home page: https://api.nuget.org/packages/microsoft.data.sqlclient.2.1.4.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.data.sqlclient/2.1.4/microsoft.data.sqlclient.2.1.4.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.entityframeworkcore.sqlserver.6.0.4.nupkg - :x: **microsoft.data.sqlclient.2.1.4.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsMicrosoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-0056
### CVSS 3 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-98g6-xh36-x2p7
Release Date: 2024-01-09
Fix Resolution: Microsoft.Data.SqlClient - 2.1.7,3.1.5,4.0.5,5.1.3, System.Data.SqlClient - 4.8.6
CVE-2021-24112
### Vulnerable Library - system.drawing.common.4.7.0.nupkgProvides access to GDI+ graphics functionality. Commonly Used Types: System.Drawing.Bitmap System.D...
Library home page: https://api.nuget.org/packages/system.drawing.common.4.7.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.drawing.common/4.7.0/system.drawing.common.4.7.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - microsoft.aspnetcore.mvc.2.2.0.nupkg - microsoft.aspnetcore.mvc.taghelpers.2.2.0.nupkg - microsoft.aspnetcore.mvc.razor.2.2.0.nupkg - microsoft.aspnetcore.mvc.viewfeatures.2.2.0.nupkg - microsoft.aspnetcore.antiforgery.2.2.0.nupkg - microsoft.aspnetcore.dataprotection.2.2.0.nupkg - system.security.cryptography.xml.4.5.0.nupkg - system.security.permissions.4.7.0.nupkg - system.windows.extensions.4.7.0.nupkg - :x: **system.drawing.common.4.7.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability Details.NET Core Remote Code Execution Vulnerability
Publish Date: 2021-02-25
URL: CVE-2021-24112
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rxg9-xrhp-64gj
Release Date: 2021-02-25
Fix Resolution: System.Drawing.Common - 4.7.2,5.0.3
CVE-2022-41032
### Vulnerable Library - nuget.protocol.5.11.0.nupkgNuGet's implementation for interacting with feeds. Contains functionality for all feed types.
Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - :x: **nuget.protocol.5.11.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsNuGet Client Elevation of Privilege Vulnerability.
Publish Date: 2022-10-11
URL: CVE-2022-41032
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-11
Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1
CVE-2023-29337
### Vulnerable Libraries - nuget.protocol.5.11.0.nupkg, nuget.common.5.11.0.nupkg### nuget.protocol.5.11.0.nupkg
NuGet's implementation for interacting with feeds. Contains functionality for all feed types.
Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - :x: **nuget.protocol.5.11.0.nupkg** (Vulnerable Library) ### nuget.common.5.11.0.nupkg
Common utilities and interfaces for all NuGet libraries.
Library home page: https://api.nuget.org/packages/nuget.common.5.11.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - nuget.librarymodel.5.11.0.nupkg - :x: **nuget.common.5.11.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsNuGet Client Remote Code Execution Vulnerability
Publish Date: 2023-06-14
URL: CVE-2023-29337
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-6qmf-mmc7-6c2p
Release Date: 2023-06-14
Fix Resolution: NuGet.CommandLine - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Commands - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Common - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.PackageManagement - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Protocol - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1
CVE-2024-21319
### Vulnerable Library - microsoft.identitymodel.jsonwebtokens.6.17.0.nupkgIncludes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg
Path to dependency file: /src/Web/Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.aspnetcore.authentication.jwtbearer.6.0.4.nupkg - microsoft.identitymodel.protocols.openidconnect.6.10.0.nupkg - system.identitymodel.tokens.jwt.6.17.0.nupkg - :x: **microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsMicrosoft Identity Denial of service vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-21319
### CVSS 3 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-8g9c-28fc-mcx2
Release Date: 2024-01-09
Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2
CVE-2022-34716
### Vulnerable Library - system.security.cryptography.xml.4.5.0.nupkgProvides classes to support the creation and validation of XML digital signatures. The classes in th...
Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.4.5.0.nupkg
Path to dependency file: /tests/IntegrationTests/IntegrationTests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/4.5.0/system.security.cryptography.xml.4.5.0.nupkg
Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - microsoft.aspnetcore.mvc.2.2.0.nupkg - microsoft.aspnetcore.mvc.taghelpers.2.2.0.nupkg - microsoft.aspnetcore.mvc.razor.2.2.0.nupkg - microsoft.aspnetcore.mvc.viewfeatures.2.2.0.nupkg - microsoft.aspnetcore.antiforgery.2.2.0.nupkg - microsoft.aspnetcore.dataprotection.2.2.0.nupkg - :x: **system.security.cryptography.xml.4.5.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485
Found in base branch: main
### Vulnerability DetailsMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information. ## Affected software * Any .NET 6.0 application running on .NET 6.0.7 or earlier. * Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier. ## Patches * If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
Publish Date: 2022-08-09
URL: CVE-2022-34716
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2m65-m22p-9wjw
Release Date: 2022-08-09
Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1