csproj's People
csproj's Issues
xunit.2.4.1.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - xunit.2.4.1.nupkg
Path to dependency file: /tests/CsProjEditor.Tests/CsProjEditor.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (xunit.2.4.1.nupkg version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2018-8292 | High | 7.5 | system.net.http.4.3.0.nupkg | Transitive | N/A* | ❌ |
CVE-2017-0248 | High | 7.5 | system.net.http.4.3.0.nupkg | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2018-8292
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /tests/CsProjEditor.Tests/CsProjEditor.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.1.nupkg (Root Library)
- xunit.assert.2.4.1.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.1.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
CVE-2017-0248
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /tests/CsProjEditor.Tests/CsProjEditor.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.1.nupkg (Root Library)
- xunit.assert.2.4.1.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.1.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
Publish Date: 2017-05-12
URL: CVE-2017-0248
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-0248
Release Date: 2017-05-12
Fix Resolution: ClubArcada.Common - 5.0.3,9.0.1;Wyam - 1.4.0;tsqllint - 1.13.0;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Localization - 1.1.3,1.0.4;System.Net.Http - 4.1.2,4.3.2;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;System.Net.Http.WinHttpHandler - 4.5.0-rc1,4.5.4,4.3.0-preview1-24530-04;XTG.DataBase.SqlClient - 1.0.1;VitalElement.AvalonBuild.win7-x64 - 0.4.2;System.Net.Security - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;LagoVista.IoT.Web.Common - 0.8.112-alpha01270;System.Text.Encodings.Web - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;MobileTech.QueryFailOverEsMongo - 1.0.1;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;NugetXray - 1.0.42;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.1.3,1.0.4;System.Net.WebSockets.Client - 4.3.2,4.3.0-preview1-24530-04,4.0.1;DataPumpCon - 1.0.1;VitalElement.AvalonBuild.ubuntu.14.04-x64 - 0.4.2;Chutzpah - 4.3.7;LagoVista.IoT.Web.DeviceAdmin - 0.8.112-alpha01362;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.1.3,1.0.4;SmartLifeLtd - 1.0.1;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Boilerplate.Templates - 1.0.0;ResearchAPI - 2.0.0;NSwag.MSBuild - 12.0.8,12.0.0;Nlog.RabbitMQ.Target - 2.5.1;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.1.3,1.0.4;Codecov - 1.0.4;Core.Spire.Presentation - 1.0.1;Microsoft.CodeDom.Providers.DotNetCompilerPlatform - 3.5.0-preview1;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;NBench.Runner - 1.1.0;NLog.RabbitMQ.Target - 2.5.4;LagoVista.Web.Identity - 0.8.112-alpha01210;system.net.http - 4.3.0-preview1-24530-04;csx - 1.0.0-beta7,1.0.0-beta10
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Repository problems
These problems occurred while renovating this repository. View logs.
- WARN: Error updating PR
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- Update dependency Utf8Json to v1.3.7
- Update dotnet monorepo (
Microsoft.Extensions.Hosting
,dotnet-sdk
) - Update dependency ConsoleAppFramework to v5
- Update dotnet monorepo to v8 (major) (
Microsoft.Extensions.Hosting
,dotnet-sdk
) - Click on this checkbox to rebase all open PRs at once
Detected dependencies
nuget
csprojcli/csprojcli.csproj
Utf8Json 1.3.6
Microsoft.Extensions.Hosting 3.1.6
ConsoleAppFramework 2.4.0
csprojcli/global.json
dotnet-sdk 7.0.0
- Check this box to trigger a request for Renovate to run again on this repository
microsoft.net.test.sdk.16.6.1.nupkg: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - microsoft.net.test.sdk.16.6.1.nupkg
Path to dependency file: /tests/CsProjEditor.Tests/CsProjEditor.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (microsoft.net.test.sdk.16.6.1.nupkg version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-0820 | High | 7.5 | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2019-0820
Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /tests/CsProjEditor.Tests/CsProjEditor.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
- microsoft.net.test.sdk.16.6.1.nupkg (Root Library)
- microsoft.testplatform.testhost.16.6.1.nupkg
- newtonsoft.json.9.0.1.nupkg
- ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)
- newtonsoft.json.9.0.1.nupkg
- microsoft.testplatform.testhost.16.6.1.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-0820
Release Date: 2019-05-16
Fix Resolution: LocaleWorks.Core - 0.1.1;GWallet.Backend - 0.2.15--date20210210-1105.git-2f5ecf0;KY.Generator - 8.0.0;dnx-coreclr-darwin-x64 - 1.0.0-rc1-final;dnx-coreclr-linux-x64 - 1.0.0-rc1-final;DataPumpCon - 1.0.1;JetBrains.ReSharper.CommandLineTools - 2021.2.1,2020.3.0,2020.2.0-eap01,2021.1.0-eap01,2020.3.0-eap05;dnx-coreclr-win-x64 - 1.0.0-rc1-final;dnx-coreclr-win-x86 - 1.0.0-rc1-final;CodeGeneration.Roslyn.BuildTime - 0.4.6;Fable.Compiler - 1.0.0-narumi-921;ResearchAPI - 2.0.0;NSwag.MSBuild - 13.4.0;Paket.SDK - 0.0.1-gamma01,0.0.1-beta2;com.nitrocrime.XamarinPainter - 0.1.1;Nuke.Common - 0.18.0-alpha0038,0.19.0;Nlog.RabbitMQ.Target - 2.5.1;FSharp.Data.Npgsql - 0.2.7-beta,0.1.42-beta;Dolittle.SDK.Build - 5.0.0-alpha.5;Codecov - 1.2.0;VL.CEF - 0.0.8-stride;ddplatform.ddrrBackendCommonUtils - 1.0.15-beta;JetBrains.ReSharper.GlobalTools - 2021.1.0-eap01,2020.2.0-eap01,2020.3.0,2021.2.1,2020.3.0-eap05;System.Text.RegularExpressions - 4.0.11-beta-23225;Sarif.Multitool - 2.0.0-csd.1;AspectInjector - 2.0.0-rc2;Peachpie.NET.Sdk - 1.0.0,1.0.0-preview4;TfsCmdlets - 2.0.0-beta0008;NBench.Runner - 1.1.0;NLog.RabbitMQ.Target - 2.5.4;Iride - 0.1.1;Cake.Tfs - 0.3.2-beta0001;Toolbelt.Blazor.I18nText - 10.0.0-preview.1,9.4.1;ExcelProvider - 2.0.0-rc1;tsqllint - 1.13.0;JetBrains.ReSharper.TestRunner.Adapters.NUnit3 - 2.6.1.37,1.2.7.18,1.2.9.24;Utf8Json - 1.0.0.1;Cake.CoreCLR - 0.26.0;Tocsoft.GraphQLCodeGen.MsBuild - 0.1.0-beta0015;WebApiClient.AOT - 0.0.6;Lazlo.Powershell.Operations - 1.2.1402;PathOfSupporting - 0.0.1-beta2;Nuke.CodeGeneration - 0.18.0-alpha0038,0.19.0;AspNetCore.Client.Generator - 0.4.1+76;Akka.MultiNodeTestRunner - 1.4.0-beta1;FaIndustry.RelaFax.RestManager - 1.0.2;WaveEngine.Targets - 3.2.0.7765-preview;NugetVersion - 1.0.3;Cake.Tfs.Build.Variables - 0.0.3;TestCentric.GuiRunner - 2.0.0-alpha1
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
Detected dependencies
None detected
microsoft.netcore.app.2.1.0.nupkg: 8 vulnerabilities (highest severity is: 8.8) - autoclosed
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (microsoft.netcore.app.2.1.0.nupkg version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-1302 | High | 8.8 | microsoft.netcore.app.2.1.0.nupkg | Direct | Microsoft.AspNetCore.SpaServices - 2.2.1,2.1.2 | ✅ |
CVE-2020-1147 | High | 7.8 | microsoft.netcore.app.2.1.0.nupkg | Direct | microsoft.aspnetcore.all - 2.1.20;microsoft.netcore.app - 2.1.20;microsoft.aspnetcore.app - 2.1.20 | ✅ |
CVE-2019-0545 | High | 7.5 | microsoft.netcore.app.2.1.0.nupkg | Direct | Microsoft.NETCore.App - 2.1.7,2.2.1 | ✅ |
CVE-2019-0548 | High | 7.5 | detected in multiple dependencies | Direct | Microsoft.AspNetCore.SignalR - 1.1.0; Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets - 2.2.1; Microsoft.AspNetCore.Server.IIS - 2.2.1; Microsoft.AspNetCore.Server.IISIntegration - 2.2.1;Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.7 | ✅ |
CVE-2020-1045 | High | 7.5 | microsoft.netcore.app.2.1.0.nupkg | Direct | Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22 | ✅ |
CVE-2019-0564 | High | 7.5 | microsoft.netcore.app.2.1.0.nupkg | Direct | Microsoft.AspNetCore.WebSockets - 2.1.7,2.2.1;Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.7;System.Net.WebSockets.WebSocketProtocol - 4.5.3;Microsoft.NETCore.App - 2.1.7,2.2.1;Microsoft.AspNetCore.App - 2.1.7,2.2.1;Microsoft.AspNetCore.All - 2.1.7,2.2.1 | ✅ |
CVE-2018-8416 | Medium | 6.5 | microsoft.netcore.app.2.1.0.nupkg | Direct | 2.1.7 | ✅ |
CVE-2019-0657 | Medium | 5.9 | microsoft.netcore.app.2.1.0.nupkg | Direct | Microsoft.NETCore.App.nupkg - 2.1.8,2.2.2;System.Private.Uri.nupkg - 4.3.1 | ✅ |
Details
CVE-2019-1302
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests, aka 'ASP.NET Core Elevation Of Privilege Vulnerability'.
Publish Date: 2019-09-11
URL: CVE-2019-1302
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-09-11
Fix Resolution: Microsoft.AspNetCore.SpaServices - 2.2.1,2.1.2
⛑️ Automatic Remediation is available for this issue
CVE-2020-1147
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
Publish Date: 2020-07-14
URL: CVE-2020-1147
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution: microsoft.aspnetcore.all - 2.1.20;microsoft.netcore.app - 2.1.20;microsoft.aspnetcore.app - 2.1.20
⛑️ Automatic Remediation is available for this issue
CVE-2019-0545
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2.
Publish Date: 2019-01-08
URL: CVE-2019-0545
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Microsoft.NETCore.App - 2.1.7,2.2.1
⛑️ Automatic Remediation is available for this issue
CVE-2019-0548
Vulnerable Libraries - microsoft.netcore.app.2.1.0.nupkg, microsoft.netcore.dotnethostresolver.2.1.0.nupkg, microsoft.netcore.dotnetapphost.2.1.0.nupkg, microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
microsoft.netcore.dotnethostresolver.2.1.0.nupkg
Provides an implementation of framework resolution strategy used by Microsoft.NETCore.DotNetHost ca...
Library home page: https://api.nuget.org/packages/microsoft.netcore.dotnethostresolver.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.dotnethostresolver/2.1.0/microsoft.netcore.dotnethostresolver.2.1.0.nupkg
Dependency Hierarchy:
- microsoft.netcore.app.2.1.0.nupkg (Root Library)
- microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
- ❌ microsoft.netcore.dotnethostresolver.2.1.0.nupkg (Vulnerable Library)
- microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
microsoft.netcore.dotnetapphost.2.1.0.nupkg
Provides the .NET Core app bootstrapper intended for use in the application directory caa7b7e2bad98...
Library home page: https://api.nuget.org/packages/microsoft.netcore.dotnetapphost.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.dotnetapphost/2.1.0/microsoft.netcore.dotnetapphost.2.1.0.nupkg
Dependency Hierarchy:
- microsoft.netcore.app.2.1.0.nupkg (Root Library)
- microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
- microsoft.netcore.dotnethostresolver.2.1.0.nupkg
- ❌ microsoft.netcore.dotnetapphost.2.1.0.nupkg (Vulnerable Library)
- microsoft.netcore.dotnethostresolver.2.1.0.nupkg
- microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
Provides a CoreCLR hosting policy implementation -- configuration settings, assembly paths and assem...
Library home page: https://api.nuget.org/packages/microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.dotnethostpolicy/2.1.0/microsoft.netcore.dotnethostpolicy.2.1.0.nupkg
Dependency Hierarchy:
- microsoft.netcore.app.2.1.0.nupkg (Root Library)
- ❌ microsoft.netcore.dotnethostpolicy.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.2, ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0564.
Publish Date: 2019-01-08
URL: CVE-2019-0548
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-08
Fix Resolution: Microsoft.AspNetCore.SignalR - 1.1.0; Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets - 2.2.1; Microsoft.AspNetCore.Server.IIS - 2.2.1; Microsoft.AspNetCore.Server.IISIntegration - 2.2.1;Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.7
⛑️ Automatic Remediation is available for this issue
CVE-2020-1045
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.
Publish Date: 2020-09-11
URL: CVE-2020-1045
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-02
Fix Resolution: Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22
⛑️ Automatic Remediation is available for this issue
CVE-2019-0564
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0548.
Publish Date: 2019-01-08
URL: CVE-2019-0564
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-08
Fix Resolution: Microsoft.AspNetCore.WebSockets - 2.1.7,2.2.1;Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.7;System.Net.WebSockets.WebSocketProtocol - 4.5.3;Microsoft.NETCore.App - 2.1.7,2.2.1;Microsoft.AspNetCore.App - 2.1.7,2.2.1;Microsoft.AspNetCore.All - 2.1.7,2.2.1
⛑️ Automatic Remediation is available for this issue
CVE-2018-8416
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.
Publish Date: 2018-11-14
URL: CVE-2018-8416
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-11-14
Fix Resolution: 2.1.7
⛑️ Automatic Remediation is available for this issue
CVE-2019-0657
Vulnerable Library - microsoft.netcore.app.2.1.0.nupkg
A set of .NET API's that are included in the default .NET Core application model. caa7b7e2bad98e56a...
Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.1.0.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.netcore.app/2.1.0/microsoft.netcore.app.2.1.0.nupkg
Dependency Hierarchy:
- ❌ microsoft.netcore.app.2.1.0.nupkg (Vulnerable Library)
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
A vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'.
Publish Date: 2019-03-05
URL: CVE-2019-0657
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-03-07
Fix Resolution: Microsoft.NETCore.App.nupkg - 2.1.8,2.2.2;System.Private.Uri.nupkg - 4.3.1
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- Update dependency Utf8Json to v1.3.7
- Update dotnet monorepo (
Microsoft.Extensions.Hosting
,dotnet-sdk
) - Update dependency ConsoleAppFramework to v5
- Update dotnet monorepo to v8 (major) (
Microsoft.Extensions.Hosting
,dotnet-sdk
) - Click on this checkbox to rebase all open PRs at once
Detected dependencies
nuget
csprojcli/csprojcli.csproj
Utf8Json 1.3.6
Microsoft.Extensions.Hosting 3.1.6
ConsoleAppFramework 2.4.0
csprojcli/global.json
dotnet-sdk 7.0.0
- Check this box to trigger a request for Renovate to run again on this repository
consoleappframework.2.4.0.nupkg: 1 vulnerabilities (highest severity is: 9.8) - autoclosed
Vulnerable Library - consoleappframework.2.4.0.nupkg
Path to dependency file: /examples/CsProjCliSample/CsProjCliSample.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.encodings.web/4.7.1/system.text.encodings.web.4.7.1.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (consoleappframework.2.4.0.nupkg version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-26701 | Critical | 9.8 | system.text.encodings.web.4.7.1.nupkg | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-26701
Vulnerable Library - system.text.encodings.web.4.7.1.nupkg
Provides types for encoding and escaping strings for use in JavaScript, HyperText Markup Language (H...
Library home page: https://api.nuget.org/packages/system.text.encodings.web.4.7.1.nupkg
Path to dependency file: /src/UwpCsProjEditor/UwpCsProjEditor.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.encodings.web/4.7.1/system.text.encodings.web.4.7.1.nupkg
Dependency Hierarchy:
- consoleappframework.2.4.0.nupkg (Root Library)
- microsoft.extensions.hosting.3.1.6.nupkg
- microsoft.extensions.logging.eventsource.3.1.6.nupkg
- system.text.json.4.7.2.nupkg
- ❌ system.text.encodings.web.4.7.1.nupkg (Vulnerable Library)
- system.text.json.4.7.2.nupkg
- microsoft.extensions.logging.eventsource.3.1.6.nupkg
- microsoft.extensions.hosting.3.1.6.nupkg
Found in HEAD commit: 5e5eea1aba0176f7f506373cf81a3532b95bc1d7
Found in base branch: main
Vulnerability Details
.NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.
Publish Date: 2021-02-25
URL: CVE-2021-26701
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-25
Fix Resolution: System.Text.Encodings.Web - 4.5.1,4.7.2,5.0.1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.