CVE-2018-8416 (Medium) detected in microsoft.netcore.app.2.1.0.nupkg

[mend-bolt-for-github[bot]]

CVE-2018-8416 - Medium Severity Vulnerability

Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg

A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...

Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg

Path to dependency file: /LdapForNet.Tests/LdapForNet.Tests.csproj

Path to vulnerable library: /uget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg

Dependency Hierarchy: - :x: **microsoft.netcore.app.2.1.0.nupkg** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.

Publish Date: 2018-11-14

URL: CVE-2018-8416

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/dotnet/Announcements/issues/95

Release Date: 2018-11-14

Fix Resolution: 2.1.7

---

Step up your Open Source Security Game with WhiteSource here

[flamencist]

won't fix due to unused dependency in test projects