blowdart
commented
6 years ago I'm confused here, JsonPatch doesn't take any dependencies on any of the vulnerable packages in that CVE, so it doesn't need any update.
Closed mesteves-mw closed 6 years ago
blowdart
commented
6 years ago I'm confused here, JsonPatch doesn't take any dependencies on any of the vulnerable packages in that CVE, so it doesn't need any update.
mesteves-mw
commented
6 years ago I run https://www.owasp.org/index.php/OWASP_Dependency_Check again and this is the report I get:
It may be because the tool identifies this package as part of CPE "cpe:/a:microsoft:aspnetcore:2.0". Then it lists all CVEs from that CPE like these ones: https://nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Amicrosoft%3Aaspnetcore%3A2.0
blowdart
commented
6 years ago That could be it. The tool is wrong in this case, if it's lumping all of asp.net core packages together. We don't rev non-MVC packages it they don't contain a problem, hence this package still being on 2.0.0.
blowdart
commented
6 years ago As this doesn't seem to be an asp.net problem, but rather one with the OWASP tool I'm going to close this. If you feel there's something more we can go please feel free to reopen.
mesteves-mw
commented
6 years ago Thanks @blowdart. I am now tracking issue here: https://github.com/jeremylong/DependencyCheck/issues/872.
After using OWASP dependency check for a vulnerability scan it found the issue: CVE-2017-11883 on package Microsoft.AspNetCore.JsonPatch.2.0.0.
.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly handling web requests, aka ".NET CORE Denial Of Service Vulnerability".Is there a workaround? If not, is it possible to get it fixed please for the next release?
More info here: https://github.com/aspnet/announcements/issues/278