search

valdisiljuconoks / localization-provider-core

Database driven localization provider for .NET applications (with administrative management UI)
Apache License 2.0
120 stars 22 forks source link

CVE-2024-0057 (Critical) detected in nuget.packaging.6.3.1.nupkg - autoclosed #147

Closed mend-bolt-for-github[bot] closed 7 months ago

mend-bolt-for-github[bot] commented 8 months ago

CVE-2024-0057 - Critical Severity Vulnerability

Vulnerable Library - nuget.packaging.6.3.1.nupkg

NuGet's understanding of packages. Reading nuspec, nupkgs and package signing.

Library home page: https://api.nuget.org/packages/nuget.packaging.6.3.1.nupkg

Path to dependency file: /tests/DbLocalizationProvider.Core.AspNetSample/DbLocalizationProvider.Core.AspNetSample.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.packaging/6.3.1/nuget.packaging.6.3.1.nupkg

Dependency Hierarchy: - microsoft.visualstudio.web.codegeneration.design.8.0.0.nupkg (Root Library) - microsoft.visualstudio.web.codegenerators.mvc.8.0.0.nupkg - microsoft.visualstudio.web.codegeneration.8.0.0.nupkg - microsoft.visualstudio.web.codegeneration.entityframeworkcore.8.0.0.nupkg - microsoft.visualstudio.web.codegeneration.core.8.0.0.nupkg - microsoft.visualstudio.web.codegeneration.templating.8.0.0.nupkg - microsoft.visualstudio.web.codegeneration.utils.8.0.0.nupkg - microsoft.dotnet.scaffolding.shared.8.0.0.nupkg - nuget.projectmodel.6.3.1.nupkg - nuget.dependencyresolver.core.6.3.1.nupkg - nuget.protocol.6.3.1.nupkg - :x: **nuget.packaging.6.3.1.nupkg** (Vulnerable Library)

Found in HEAD commit: 6a4dae0d87e02bafb87b57e3a8e54309b1007b25

Found in base branch: master

Vulnerability Details

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-0057

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-68w7-72jg-6qpp

Release Date: 2024-01-09

Fix Resolution: NuGet.CommandLine - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1, NuGet.Packaging - 5.11.6,6.0.6,6.3.4,6.4.3,6.6.2,6.7.1,6.8.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 7 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.