search

madhon / flake

A port of Twitter's Snowflake algorithm to C#.
1 stars 0 forks source link

nuke.common.7.0.2.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed #8

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - nuke.common.7.0.2.nupkg

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg

Found in HEAD commit: 455c8bc0951c6aa95625d186f23f13cc146cda8f

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nuke.common.7.0.2.nupkg version) Remediation Possible**
CVE-2023-29331 High 7.5 system.security.cryptography.pkcs.7.0.0.nupkg Transitive N/A*
CVE-2023-29337 High 7.1 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-29331 ### Vulnerable Library - system.security.cryptography.pkcs.7.0.0.nupkg

Provides support for PKCS and CMS algorithms. Commonly Used Types: System.Security.Cryptography.Pkcs.EnvelopedCms

Library home page: https://api.nuget.org/packages/system.security.cryptography.pkcs.7.0.0.nupkg

Path to dependency file: /build/_build.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.pkcs/7.0.0/system.security.cryptography.pkcs.7.0.0.nupkg

Dependency Hierarchy: - nuke.common.7.0.2.nupkg (Root Library) - nuke.projectmodel.7.0.2.nupkg - microsoft.build.tasks.core.16.9.0.nupkg - :x: **system.security.cryptography.pkcs.7.0.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 455c8bc0951c6aa95625d186f23f13cc146cda8f

Found in base branch: main

### Vulnerability Details

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29331

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-555c-2p6r-68mm

Release Date: 2023-06-14

Fix Resolution: Microsoft.NetCore.App.Runtime.linux-arm - 6.0.18,7.0.7, Microsoft.Windows.Compatibility - 6.0.6,7.0.3, System.Security.Cryptography.Pkcs - 6.0.3,7.0.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-29337 ### Vulnerable Libraries - nuget.common.5.11.0.nupkg, nuke.common.7.0.2.nupkg

### nuget.common.5.11.0.nupkg

Common utilities and interfaces for all NuGet libraries.

Library home page: https://api.nuget.org/packages/nuget.common.5.11.0.nupkg

Path to dependency file: /build/_build.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.common/5.11.0/nuget.common.5.11.0.nupkg

Dependency Hierarchy: - nuke.common.7.0.2.nupkg (Root Library) - nuke.projectmodel.7.0.2.nupkg - nuke.tooling.7.0.2.nupkg - nuget.packaging.5.11.0.nupkg - nuget.configuration.5.11.0.nupkg - :x: **nuget.common.5.11.0.nupkg** (Vulnerable Library) ### nuke.common.7.0.2.nupkg

The AKEless Build System for C#/.NET Signed by signpath.io from repository 'https://github.com/nuke-build/nuke' commit 'bbceff250ec4c9c604b33b38600ab9b4a4e17dac' (see contained AppVeyorSettings.json file for build settings).

Library home page: https://api.nuget.org/packages/nuke.common.7.0.2.nupkg

Dependency Hierarchy: - :x: **nuke.common.7.0.2.nupkg** (Vulnerable Library)

Found in HEAD commit: 455c8bc0951c6aa95625d186f23f13cc146cda8f

Found in base branch: main

### Vulnerability Details

NuGet Client Remote Code Execution Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29337

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-6qmf-mmc7-6c2p

Release Date: 2023-06-14

Fix Resolution: NuGet.CommandLine - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Commands - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Common - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.PackageManagement - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1, NuGet.Protocol - 6.0.5,6.2.4,6.3.3,6.4.2,6.5.1,6.6.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.