search

valdisiljuconoks / LocalizationProvider

Database driven localization provider for .NET applications (core assemblies)
https://tech-fellow.eu/
Apache License 2.0
123 stars 41 forks source link

CVE-2024-38095 (High) detected in system.formats.asn1.6.0.0.nupkg #310

Open mend-bolt-for-github[bot] opened 1 week ago

mend-bolt-for-github[bot] commented 1 week ago

CVE-2024-38095 - High Severity Vulnerability

Vulnerable Library - system.formats.asn1.6.0.0.nupkg

Provides classes that can read and write the ASN.1 BER, CER, and DER data formats. Commonly Used Ty...

Library home page: https://api.nuget.org/packages/system.formats.asn1.6.0.0.nupkg

Path to dependency file: /aspnetcore/tests/DbLocalizationProvider.Core.AspNetSample/DbLocalizationProvider.Core.AspNetSample.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/6.0.0/system.formats.asn1.6.0.0.nupkg

Dependency Hierarchy: - microsoft.visualstudio.web.codegeneration.design.8.0.5.nupkg (Root Library) - microsoft.visualstudio.web.codegenerators.mvc.8.0.5.nupkg - microsoft.visualstudio.web.codegeneration.8.0.5.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.8.0.5.nupkg - microsoft.visualstudio.web.codegeneration.core.8.0.5.nupkg - microsoft.visualstudio.web.codegeneration.templating.8.0.5.nupkg - microsoft.visualstudio.web.codegeneration.utils.8.0.5.nupkg - microsoft.dotnet.scaffolding.shared.8.0.5.nupkg - nuget.projectmodel.6.11.0.nupkg - nuget.dependencyresolver.core.6.11.0.nupkg - nuget.protocol.6.11.0.nupkg - nuget.packaging.6.11.0.nupkg - system.security.cryptography.pkcs.6.0.4.nupkg - :x: **system.formats.asn1.6.0.0.nupkg** (Vulnerable Library)

Found in HEAD commit: 0cbb84012dd1a64bfd0c69be7f10d520649195d1

Found in base branch: master

Vulnerability Details

.NET and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-38095

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-447r-wph3-92pm

Release Date: 2024-07-09

Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1

Step up your Open Source Security Game with Mend here