We have latest stable version i.e 4.3.2 for System.Security.Cryptography.X509Certificates as recommended but still shows the issue of vulnerability with CVE-2024-0057.
We are using dot net 4.6.1 as target framework for our solutions, please let us know by when this issue will be resolved in next version of System.Security.Cryptography.X509Certificates
Explanation: The Microsoft.NETCore.App.Runtime packages are vulnerable due to Improper Certificate Validation.
The Build() method of the X509Chain class mishandles errors thrown during certificate chaining.
Consequently, this may yield incorrect failure codes back to users of the certificate chaining APIs.
A remote attacker can exploit this vulnerability with a crafted certificate that may bypass the security controls of applications that depend on the aforementioned failure codes.
We have latest stable version i.e 4.3.2 for System.Security.Cryptography.X509Certificates as recommended but still shows the issue of vulnerability with CVE-2024-0057.
We are using dot net 4.6.1 as target framework for our solutions, please let us know by when this issue will be resolved in next version of System.Security.Cryptography.X509Certificates
Issue Details: [CVE-2024-0057]-(https://www.cve.org/CVERecord?id=CVE-2024-0057)
X509Certificates Code Link: https://referencesource.microsoft.com/#System.Security/system/security/cryptography/x509/x509ui.cs,a0e6c16c340ea6f4,references
Explanation: The
Microsoft.NETCore.App.Runtimepackages are vulnerable due to Improper Certificate Validation. TheBuild()method of theX509Chainclass mishandles errors thrown during certificate chaining. Consequently, this may yield incorrect failure codes back to users of the certificate chaining APIs. A remote attacker can exploit this vulnerability with a crafted certificate that may bypass the security controls of applications that depend on the aforementioned failure codes.