Open jcburgo opened 2 months ago
FWIW, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 lists .NET 6.0.26 as the security update for this, and https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.26/6.0.26.md says CVE-2024-0057 is fixed there.
The CVE-2024-0057 description specifically refers to "Microsoft .NET Framework-based applications". Does that include applications running on .NET 6 at all; or does the vulnerability only apply to applications that use NuGet libraries from .NET but run on .NET Framework?
Yes, they both say the CVE is fixed in 6.0.26; however, the latest SDKs (e.g. 6.0.421) appears to have been built with NuGet.Packaging": "6.3.4-rc.2
, which evaluates to less than v6.3.4 resulting in false positives in vulnerability scanners. I believe the fix was implemented, but entries like this
/dotnet-sdk-6.0.421-linux-x64/sdk/6.0.421/MSBuild.deps.json
"NuGet.Packaging/6.3.4-rc.2": {
"lib/net5.0/NuGet.Packaging.dll": {
"NuGet.Packaging.Core/6.3.4-rc.2": {
"NuGet.Packaging": "6.3.4-rc.2"
"lib/net5.0/NuGet.Packaging.Core.dll": {
"NuGet.Packaging": "6.3.4-rc.2"
"NuGet.Packaging": "6.3.4-rc.2",
"NuGet.Packaging.Core": "6.3.4-rc.2",
"NuGet.Packaging/6.3.4-rc.2": {
"NuGet.Packaging.Core/6.3.4-rc.2": {
cause vulnerability scanners to flag the SDK as vulnerable.
Here is an example from Trivy
trivy filesystem sdk/
2024-04-22T11:12:32.785-0400 INFO Need to update DB
2024-04-22T11:12:32.785-0400 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-04-22T11:12:32.786-0400 INFO Downloading DB...
45.26 MiB / 45.26 MiB [-------------------------------------------------------------------------------------------------------------------] 100.00% 13.95 MiB p/s 3.4s
2024-04-22T11:12:36.926-0400 INFO Vulnerability scanning is enabled
2024-04-22T11:12:36.926-0400 INFO Secret scanning is enabled
2024-04-22T11:12:36.926-0400 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-22T11:12:36.926-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2024-04-22T11:12:37.986-0400 INFO Number of language-specific files: 23
2024-04-22T11:12:37.986-0400 INFO Detecting dotnet-core vulnerabilities...
6.0.421/DotnetTools/dotnet-format/dotnet-format.deps.json (dotnet-core)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http │ CVE-2018-8292 │ HIGH │ fixed │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
│ │ │ │ │ │ │ information exposed in a redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
├────────────────────────────────┼───────────────┤ │ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ │ │ │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
6.0.421/DotnetTools/dotnet-watch/6.0.421-servicing.24172.16/tools/net6.0/any/dotnet-watch.deps.json (dotnet-core)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http │ CVE-2018-8292 │ HIGH │ fixed │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
│ │ │ │ │ │ │ information exposed in a redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
├────────────────────────────────┼───────────────┤ │ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ │ │ │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
6.0.421/FSharp/fsc.deps.json (dotnet-core)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH │ fixed │ 6.0.1 │ 7.0.2, 6.0.3 │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│ │ │ │ │ │ │ Certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29331 │
├───────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM │ │ 6.0.0 │ 4.7.1, 6.0.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘
6.0.421/FSharp/fsi.deps.json (dotnet-core)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH │ fixed │ 6.0.1 │ 7.0.2, 6.0.3 │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│ │ │ │ │ │ │ Certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29331 │
├───────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM │ │ 6.0.0 │ 4.7.1, 6.0.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘
6.0.421/MSBuild.deps.json (dotnet-core)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)
┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging │ CVE-2024-0057 │ CRITICAL │ fixed │ 6.3.4-rc.2 │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0057 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM │ │ 6.0.0 │ 4.7.1, 6.0.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH │ │ 4.3.0 │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘
6.0.421/NuGet.CommandLine.XPlat.deps.json (dotnet-core)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)
┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging │ CVE-2024-0057 │ CRITICAL │ fixed │ 6.3.4-rc.2 │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0057 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM │ │ 6.0.0 │ 4.7.1, 6.0.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH │ │ 4.3.0 │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘
6.0.421/Sdks/Microsoft.NET.ILLink.Tasks/tools/net6.0/ILLink.Tasks.deps.json (dotnet-core)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ System.Drawing.Common │ CVE-2021-24112 │ CRITICAL │ fixed │ 4.7.0 │ 4.7.2, 5.0.3 │ dotnet: Remote Code Execution Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-24112 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘
6.0.421/dotnet-watch.deps.json (dotnet-core)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http │ CVE-2018-8292 │ HIGH │ fixed │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
│ │ │ │ │ │ │ information exposed in a redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
├────────────────────────────────┼───────────────┤ │ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ │ │ │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
6.0.421/dotnet.deps.json (dotnet-core)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)
┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging │ CVE-2024-0057 │ CRITICAL │ fixed │ 6.3.4-rc.2 │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0057 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM │ │ 6.0.0 │ 4.7.1, 6.0.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH │ │ 4.3.0 │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!
If you believe this issue was closed out of error, please comment to let us know.
Happy Coding!
This is not a NuGet issue. The SDK was built with a potentially vulnerable version of NuGet, so the SDK needs to update it's dependencies.
This is actually an issue on the nuget side (as well as impacting other tools) tracked by this internal issue: https://github.com/NuGet/Client.Engineering/issues/2735
Because feeds don't handle stable versions well if you need a rebuild, nuget and other tools teams flow unstable versions into the SDK. Those binaries are identical. This allows them more consistency on the feed used.
One recommendation is to change the branding to -rtm but that'll still be flagged by some scanners. We could try to modify the deps.json before shipping but that's a bit hacky. It'd be better to find a way to flow an unstable version in the main feed that wasn't a prerelease or find a way to flow the stable version.
CC @nkolev92 as he was aware of the linked issue.
Describe the bug
The dotnet 6.0 versions since 6.0.26 list the version of the NuGet.Packaging dependency in the SDK as
"NuGet.Packaging": "6.3.4-rc.2"
inwhich evaluates as less than [1] the fixed version (6.3.4) in the advisory [2]. As a result, vulnerability scanners flag the latest SDK version (e.g. 6.0.421) as vulnerable to CVE-2024-0057 (Critical). I am not certain if NuGet.Packaging v6.3.4-rc.2 includes the fix for CVE-2024-0057, so I am not certain if the versions of dotnet since 6.0.26 are patched.
I see two approaches to resolving this issue:
References: [1] - https://learn.microsoft.com/en-us/nuget/concepts/package-versioning?tabs=semver20sort#pre-release-versions [2] - https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-68w7-72jg-6qpp
To Reproduce
N/A
Exceptions (if any)
N/A
Further technical details
N/A