search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.71k stars 1.07k forks source link

CVE-2023-29331 - dotnet-watch depends on out of date System.Security.Cryptography.Pkcs #40974

Open baronfel opened 5 months ago

baronfel commented 5 months ago

Describe the bug

A Trivy scan of the 8.0.300 SDK Docker image shows the following result:

mcr.microsoft.com/dotnet/sdk:8.0 (debian 12.5)
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/share/dotnet/sdk/8.0.300/DotnetTools/dotnet-watch/8.0.300-rtm.24224.16/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json (dotnet-core)
=========================================================================================================================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH     │ fixed  │ 7.0.0             │ 7.0.2, 6.0.3  │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│                                   │                │          │        │                   │               │ Certificates                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29331              │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

To Reproduce

>docker run aquasec/trivy i mcr.microsoft.com/dotnet/sdk:8.0 --ignore-unfixed
baronfel commented 5 months ago

https://github.com/dotnet/roslyn/pull/73515 should fix this once it flows to the SDK.