upland-sandbox / KevinDockx_RESTfulAPIAspNetCore

KevinDockx RESTfulAPIAspNetCore
0 stars 0 forks source link

netstandard.library.1.6.0.nupkg: 5 vulnerabilities (highest severity is: 7.5) - autoclosed #25

Closed mend-for-github-com[bot] closed 3 months ago

mend-for-github-com[bot] commented 3 months ago
Vulnerable Library - netstandard.library.1.6.0.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (netstandard.library.1.6.0.nupkg version) Remediation Possible**
CVE-2017-0247 High 7.5 system.net.http.4.1.1.nupkg Transitive N/A*
CVE-2017-0249 High 7.3 system.net.http.4.1.1.nupkg Transitive N/A*
CVE-2018-8292 Medium 5.3 system.net.http.4.1.1.nupkg Transitive N/A*
CVE-2017-0256 Medium 5.3 system.net.http.4.1.1.nupkg Transitive N/A*
CVE-2017-0248 Medium 5.3 system.net.http.4.1.1.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-0247 ### Vulnerable Library - system.net.http.4.1.1.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.1.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Found in base branch: master

### Vulnerability Details

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Publish Date: 2017-05-12

URL: CVE-2017-0247

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.5.4;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

CVE-2017-0249 ### Vulnerable Library - system.net.http.4.1.1.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.1.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Found in base branch: master

### Vulnerability Details

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0249

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

CVE-2018-8292 ### Vulnerable Library - system.net.http.4.1.1.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.1.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Found in base branch: master

### Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

CVE-2017-0256 ### Vulnerable Library - system.net.http.4.1.1.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.1.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Found in base branch: master

### Vulnerability Details

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0256

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-0256

Release Date: 2017-05-12

Fix Resolution: Microsoft.AspNetCore.Mvc.ApiExplorer - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Abstractions - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.1.3,1.0.4;System.Net.Http - 4.1.2,4.3.2;Microsoft.AspNetCore.Mvc.Razor - 1.1.3,1.0.4;System.Net.Http.WinHttpHandler - 4.0.2,4.3.0-preview1-24530-04;System.Net.Security - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;System.Text.Encodings.Web - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Razor.Host - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3;System.Net.WebSockets.Client - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3

CVE-2017-0248 ### Vulnerable Library - system.net.http.4.1.1.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.1.nupkg

Path to dependency file: /asp-dot-net-core-restful-api-building/03/demos/csproj_msbuild_core1/end/Library/src/Library.API/Library.API.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.1/system.net.http.4.1.1.nupkg

Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 4652216182f389981b9a8e802b356c3a5f61bc77

Found in base branch: master

### Vulnerability Details

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

Publish Date: 2017-05-12

URL: CVE-2017-0248

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3

mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.