search

lukebrogan-mend / Umbraco-CMS

The simple, flexible and friendly ASP.NET CMS used by more than 500.000 websites
https://umbraco.com
MIT License
0 stars 0 forks source link

microsoft.aspnet.identity.owin.2.2.2.nupkg: 1 vulnerabilities (highest severity is: 8.2) #302

Open mend-for-github-com[bot] opened 12 months ago

mend-for-github-com[bot] commented 12 months ago
Vulnerable Library - microsoft.aspnet.identity.owin.2.2.2.nupkg

Owin implementation for ASP.NET Identity.

Library home page: https://api.nuget.org/packages/microsoft.aspnet.identity.owin.2.2.2.nupkg

Path to dependency file: /build/NuSpecs/UmbracoCms.Web.nuspec

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnet.identity.owin/2.2.2/microsoft.aspnet.identity.owin.2.2.2.nupkg,/home/wss-scanner/.nuget/packages/microsoft.aspnet.identity.owin/2.2.2/microsoft.aspnet.identity.owin.2.2.2.nupkg

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (microsoft.aspnet.identity.owin.2.2.2.nupkg version) Remediation Possible** Reachability
CVE-2023-33170 High 8.2 Proof of concept 0.2% microsoft.aspnet.identity.owin.2.2.2.nupkg Direct Microsoft.AspNet.Identity.Owin - 2.2.4;Microsoft.AspNetCore.App.Runtime - 6.0.20,7.0.9;Microsoft.AspNetCore.Identity - 2.1.39

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-33170 ### Vulnerable Library - microsoft.aspnet.identity.owin.2.2.2.nupkg

Owin implementation for ASP.NET Identity.

Library home page: https://api.nuget.org/packages/microsoft.aspnet.identity.owin.2.2.2.nupkg

Path to dependency file: /build/NuSpecs/UmbracoCms.Web.nuspec

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnet.identity.owin/2.2.2/microsoft.aspnet.identity.owin.2.2.2.nupkg,/home/wss-scanner/.nuget/packages/microsoft.aspnet.identity.owin/2.2.2/microsoft.aspnet.identity.owin.2.2.2.nupkg

Dependency Hierarchy: - :x: **microsoft.aspnet.identity.owin.2.2.2.nupkg** (Vulnerable Library)

Found in base branch: v8/contrib

### Vulnerability Details

ASP.NET and Visual Studio Security Feature Bypass Vulnerability

Publish Date: 2023-07-11

URL: CVE-2023-33170

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.2%

### CVSS 4 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-25c8-p796-jg6r

Release Date: 2023-07-11

Fix Resolution: Microsoft.AspNet.Identity.Owin - 2.2.4;Microsoft.AspNetCore.App.Runtime - 6.0.20,7.0.9;Microsoft.AspNetCore.Identity - 2.1.39

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules