UnitTests-1.0.0: 7 vulnerabilities (highest severity is: 9.1)

Vulnerable Library - UnitTests-1.0.0

Path to dependency file: /tests/IntegrationTests/IntegrationTests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (UnitTests version)	Remediation Possible**
CVE-2024-0057	Critical	9.1	nuget.packaging.5.11.0.nupkg	Transitive	N/A*	❌
CVE-2024-0056	High	8.7	microsoft.data.sqlclient.2.1.4.nupkg	Transitive	N/A*	❌
CVE-2021-24112	High	8.1	system.drawing.common.4.7.0.nupkg	Transitive	N/A*	❌
CVE-2022-41032	High	7.8	nuget.protocol.5.11.0.nupkg	Transitive	N/A*	❌
CVE-2023-29337	High	7.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-21319	Medium	6.8	microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg	Transitive	N/A*	❌
CVE-2022-34716	Medium	5.9	system.security.cryptography.xml.4.5.0.nupkg	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-0057

### Vulnerable Library - nuget.packaging.5.11.0.nupkg

NuGet's understanding of packages. Reading nuspec, nupkgs and package signing.

Library home page: https://api.nuget.org/packages/nuget.packaging.5.11.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.packaging/5.11.0/nuget.packaging.5.11.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - nuget.protocol.5.11.0.nupkg - :x: **nuget.packaging.5.11.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-0057

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-68w7-72jg-6qpp

Release Date: 2024-01-09

Fix Resolution: NuGet.CommandLine - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1, NuGet.Packaging - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1

CVE-2024-0056

### Vulnerable Library - microsoft.data.sqlclient.2.1.4.nupkg

Provides the data provider for SQL Server. These classes provide access to versions of SQL Server an...

Library home page: https://api.nuget.org/packages/microsoft.data.sqlclient.2.1.4.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.data.sqlclient/2.1.4/microsoft.data.sqlclient.2.1.4.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.entityframeworkcore.sqlserver.6.0.4.nupkg - :x: **microsoft.data.sqlclient.2.1.4.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-0056

### CVSS 3 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-98g6-xh36-x2p7

Release Date: 2024-01-09

Fix Resolution: Microsoft.Data.SqlClient - 2.1.7,3.1.5,4.0.5,5.1.3, System.Data.SqlClient - 4.8.6

CVE-2021-24112

### Vulnerable Library - system.drawing.common.4.7.0.nupkg

Provides access to GDI+ graphics functionality. Commonly Used Types: System.Drawing.Bitmap System.D...

Library home page: https://api.nuget.org/packages/system.drawing.common.4.7.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.drawing.common/4.7.0/system.drawing.common.4.7.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - microsoft.aspnetcore.mvc.2.2.0.nupkg - microsoft.aspnetcore.mvc.taghelpers.2.2.0.nupkg - microsoft.aspnetcore.mvc.razor.2.2.0.nupkg - microsoft.aspnetcore.mvc.viewfeatures.2.2.0.nupkg - microsoft.aspnetcore.antiforgery.2.2.0.nupkg - microsoft.aspnetcore.dataprotection.2.2.0.nupkg - system.security.cryptography.xml.4.5.0.nupkg - system.security.permissions.4.7.0.nupkg - system.windows.extensions.4.7.0.nupkg - :x: **system.drawing.common.4.7.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

.NET Core Remote Code Execution Vulnerability

Publish Date: 2021-02-25

URL: CVE-2021-24112

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rxg9-xrhp-64gj

Release Date: 2021-02-25

Fix Resolution: System.Drawing.Common - 4.7.2,5.0.3

CVE-2022-41032

### Vulnerable Library - nuget.protocol.5.11.0.nupkg

NuGet's implementation for interacting with feeds. Contains functionality for all feed types.

Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - :x: **nuget.protocol.5.11.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

NuGet Client Elevation of Privilege Vulnerability.

Publish Date: 2022-10-11

URL: CVE-2022-41032

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-11

Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1

CVE-2023-29337

### Vulnerable Libraries - nuget.protocol.5.11.0.nupkg, nuget.common.5.11.0.nupkg

### nuget.protocol.5.11.0.nupkg

NuGet's implementation for interacting with feeds. Contains functionality for all feed types.

Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - :x: **nuget.protocol.5.11.0.nupkg** (Vulnerable Library) ### nuget.common.5.11.0.nupkg

Common utilities and interfaces for all NuGet libraries.

Library home page: https://api.nuget.org/packages/nuget.common.5.11.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.visualstudio.web.codegeneration.design.6.0.3.nupkg - microsoft.visualstudio.web.codegenerators.mvc.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.core.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.templating.6.0.3.nupkg - microsoft.visualstudio.web.codegeneration.utils.6.0.3.nupkg - microsoft.dotnet.scaffolding.shared.6.0.3.nupkg - nuget.projectmodel.5.11.0.nupkg - nuget.dependencyresolver.core.5.11.0.nupkg - nuget.librarymodel.5.11.0.nupkg - :x: **nuget.common.5.11.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

NuGet Client Remote Code Execution Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29337

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-6qmf-mmc7-6c2p

Release Date: 2023-06-14

Fix Resolution: NuGet.CommandLine - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Commands - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Common - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.PackageManagement - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Protocol - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1

CVE-2024-21319

### Vulnerable Library - microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg

Path to dependency file: /src/Web/Web.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.17.0/microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - Web-1.0.0 - microsoft.aspnetcore.authentication.jwtbearer.6.0.4.nupkg - microsoft.identitymodel.protocols.openidconnect.6.10.0.nupkg - system.identitymodel.tokens.jwt.6.17.0.nupkg - :x: **microsoft.identitymodel.jsonwebtokens.6.17.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

Microsoft Identity Denial of service vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-21319

### CVSS 3 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8g9c-28fc-mcx2

Release Date: 2024-01-09

Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2

CVE-2022-34716

### Vulnerable Library - system.security.cryptography.xml.4.5.0.nupkg

Provides classes to support the creation and validation of XML digital signatures. The classes in th...

Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.4.5.0.nupkg

Path to dependency file: /tests/IntegrationTests/IntegrationTests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/4.5.0/system.security.cryptography.xml.4.5.0.nupkg

Dependency Hierarchy: - UnitTests-1.0.0 (Root Library) - microsoft.aspnetcore.mvc.2.2.0.nupkg - microsoft.aspnetcore.mvc.taghelpers.2.2.0.nupkg - microsoft.aspnetcore.mvc.razor.2.2.0.nupkg - microsoft.aspnetcore.mvc.viewfeatures.2.2.0.nupkg - microsoft.aspnetcore.antiforgery.2.2.0.nupkg - microsoft.aspnetcore.dataprotection.2.2.0.nupkg - :x: **system.security.cryptography.xml.4.5.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 9fd8dea5c0669a85391baba4982053cfe87d6485

Found in base branch: main

### Vulnerability Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information. ## Affected software * Any .NET 6.0 application running on .NET 6.0.7 or earlier. * Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier. ## Patches * If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

Publish Date: 2022-08-09

URL: CVE-2022-34716

### CVSS 3 Score Details (5.9)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2m65-m22p-9wjw

Release Date: 2022-08-09

Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1

clindseywsdemo / DotNET-eShop-Core

UnitTests-1.0.0: 7 vulnerabilities (highest severity is: 9.1) #53

Vulnerabilities

Details