Vulnerable Library - Blogifier-1.0.0

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.6.0/azure.identity.1.6.0.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2023-36414

Vulnerable Library - azure.identity.1.6.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.6.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.6.0/azure.identity.1.6.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • ❌ azure.identity.1.6.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Azure Identity SDK Remote Code Execution Vulnerability

Publish Date: 2023-10-10

URL: CVE-2023-36414

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36414

Release Date: 2023-10-10

Fix Resolution: Azure.Identity - 1.10.2

CVE-2024-0056

Vulnerable Library - microsoft.data.sqlclient.5.0.2.nupkg

Provides the data provider for SQL Server.

Library home page: https://api.nuget.org/packages/microsoft.data.sqlclient.5.0.2.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.data.sqlclient/5.0.2/microsoft.data.sqlclient.5.0.2.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • ❌ microsoft.data.sqlclient.5.0.2.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-0056

CVSS 3 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-98g6-xh36-x2p7

Release Date: 2024-01-09

Fix Resolution: Microsoft.Data.SqlClient - 2.1.7,3.1.5,4.0.5,5.1.3, System.Data.SqlClient - 4.8.6

CVE-2021-24112

Vulnerable Library - system.drawing.common.5.0.0.nupkg

Provides access to GDI+ graphics functionality.

Commonly Used Types:
System.Drawing.Bitmap
System.D...

Library home page: https://api.nuget.org/packages/system.drawing.common.5.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.drawing.common/5.0.0/system.drawing.common.5.0.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • system.runtime.caching.5.0.0.nupkg
        • system.configuration.configurationmanager.5.0.0.nupkg
          • system.security.permissions.5.0.0.nupkg
            • system.windows.extensions.5.0.0.nupkg
              • ❌ system.drawing.common.5.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

.NET Core Remote Code Execution Vulnerability

Publish Date: 2021-02-25

URL: CVE-2021-24112

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-rxg9-xrhp-64gj

Release Date: 2021-02-25

Fix Resolution: System.Drawing.Common - 4.7.2,5.0.3

CVE-2023-29331

Vulnerable Library - system.security.cryptography.pkcs.7.0.0.nupkg

Provides support for PKCS and CMS algorithms.

Commonly Used Types:
System.Security.Cryptography.Pkcs.EnvelopedCms

Library home page: https://api.nuget.org/packages/system.security.cryptography.pkcs.7.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.pkcs/7.0.0/system.security.cryptography.pkcs.7.0.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.aspnetcore.dataprotection.stackexchangeredis.7.0.10.nupkg
    • microsoft.aspnetcore.dataprotection.7.0.10.nupkg
      • system.security.cryptography.xml.7.0.1.nupkg
        • ❌ system.security.cryptography.pkcs.7.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29331

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-555c-2p6r-68mm

Release Date: 2023-06-14

Fix Resolution: Microsoft.NetCore.App.Runtime.linux-arm - 6.0.18,7.0.7, Microsoft.Windows.Compatibility - 6.0.6,7.0.3, System.Security.Cryptography.Pkcs - 6.0.3,7.0.2

CVE-2024-21319

Vulnerable Libraries - microsoft.identitymodel.jsonwebtokens.6.21.0.nupkg, system.identitymodel.tokens.jwt.6.21.0.nupkg

microsoft.identitymodel.jsonwebtokens.6.21.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.21.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.21.0/microsoft.identitymodel.jsonwebtokens.6.21.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • ❌ microsoft.identitymodel.jsonwebtokens.6.21.0.nupkg (Vulnerable Library)

system.identitymodel.tokens.jwt.6.21.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.6.21.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/6.21.0/system.identitymodel.tokens.jwt.6.21.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • microsoft.identitymodel.protocols.openidconnect.6.21.0.nupkg
        • ❌ system.identitymodel.tokens.jwt.6.21.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Microsoft Identity Denial of service vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-21319

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-8g9c-28fc-mcx2

Release Date: 2024-01-09

Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2

CVE-2024-35255

Vulnerable Library - azure.identity.1.6.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.6.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.6.0/azure.identity.1.6.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • ❌ azure.identity.1.6.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Publish Date: 2024-06-11

URL: CVE-2024-35255

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m5vv-6r4h-3vj9

Release Date: 2024-06-11

Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0

CVE-2024-29992

Vulnerable Library - azure.identity.1.6.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.6.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.6.0/azure.identity.1.6.0.nupkg

Dependency Hierarchy:

• Blogifier-1.0.0 (Root Library)
  • microsoft.entityframeworkcore.sqlserver.7.0.10.nupkg
    • microsoft.data.sqlclient.5.0.2.nupkg
      • ❌ azure.identity.1.6.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Azure Identity Library for .NET Information Disclosure Vulnerability

Publish Date: 2024-04-09

URL: CVE-2024-29992

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wvxc-855f-jvrv

Release Date: 2024-04-09

Fix Resolution: Azure.Identity - 1.11.0

Vulnerable Library - sotsera.blazor.toaster.3.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.components/7.0.10/microsoft.aspnetcore.components.7.0.10.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2023-36558

Vulnerable Library - microsoft.aspnetcore.components.7.0.10.nupkg

Components feature for ASP.NET Core.

This package was built from the source code at https://github.com/dotnet/aspnetcore/tree/5a4c82ec57fadddef9ce841d608de5c7c8c74446

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.components.7.0.10.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.components/7.0.10/microsoft.aspnetcore.components.7.0.10.nupkg

Dependency Hierarchy:

• sotsera.blazor.toaster.3.0.0.nupkg (Root Library)
  • ❌ microsoft.aspnetcore.components.7.0.10.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

ASP.NET Core - Security Feature Bypass Vulnerability

Publish Date: 2023-11-14

URL: CVE-2023-36558

CVSS 3 Score Details (6.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3fx3-85r4-8j3w

Release Date: 2023-11-14

Fix Resolution: Microsoft.AspNetCore.Components - 6.0.25,7.0.14,8.0.0

Vulnerable Library - microsoft.entityframeworkcore.design.7.0.10.nupkg

Path to dependency file: /src/Blogifier/Blogifier.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2024-30105

Vulnerable Library - system.text.json.7.0.0.nupkg

Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.

Library home page: https://api.nuget.org/packages/system.text.json.7.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg

Dependency Hierarchy:

• microsoft.entityframeworkcore.design.7.0.10.nupkg (Root Library)
  • microsoft.extensions.dependencymodel.7.0.0.nupkg
    • ❌ system.text.json.7.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

.NET Core and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-30105

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hh2w-p6rv-4g7w

Release Date: 2024-07-09

Fix Resolution: System.Text.Json - 8.0.4

Vulnerable Library - coverlet.collector.6.0.0.nupkg

Coverlet is a cross platform code coverage library for .NET, with support for line, branch and method coverage.

Library home page: https://api.nuget.org/packages/coverlet.collector.6.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/coverlet.collector/6.0.0/coverlet.collector.6.0.0.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2024-21907

Vulnerable Library - coverlet.collector.6.0.0.nupkg

Coverlet is a cross platform code coverage library for .NET, with support for line, branch and method coverage.

Library home page: https://api.nuget.org/packages/coverlet.collector.6.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/coverlet.collector/6.0.0/coverlet.collector.6.0.0.nupkg

Dependency Hierarchy:

• ❌ coverlet.collector.6.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

Publish Date: 2024-01-03

URL: CVE-2024-21907

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5crp-9r3c-p9vr

Release Date: 2024-01-03

Fix Resolution: Newtonsoft.Json - 13.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - xunit.2.5.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2024-38095

Vulnerable Library - system.formats.asn1.7.0.0.nupkg

Provides classes that can read and write the ASN.1 BER, CER, and DER data formats.

Commonly Used Types:
System.Formats.Asn1.AsnReader
System.Formats.Asn1.AsnWriter

Library home page: https://api.nuget.org/packages/system.formats.asn1.7.0.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg

Dependency Hierarchy:

• xunit.2.5.0.nupkg (Root Library)
  • xunit.assert.2.5.0.nupkg
    • netstandard.library.1.6.1.nupkg
      • system.security.cryptography.x509certificates.4.3.0.nupkg
        • system.security.cryptography.cng.5.0.0.nupkg
          • ❌ system.formats.asn1.7.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

.NET and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-38095

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-447r-wph3-92pm

Release Date: 2024-07-09

Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

• xunit.2.5.0.nupkg (Root Library)
  • xunit.assert.2.5.0.nupkg
    • netstandard.library.1.6.1.nupkg
      • system.xml.xdocument.4.3.0.nupkg
        • system.xml.readerwriter.4.3.0.nupkg
          • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

• xunit.2.5.0.nupkg (Root Library)
  • xunit.assert.2.5.0.nupkg
    • netstandard.library.1.6.1.nupkg
      • ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Vulnerable Library - npgsql.entityframeworkcore.postgresql.7.0.4.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/npgsql/7.0.4/npgsql.7.0.4.nupkg

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

CVE-2024-32655

Vulnerable Library - npgsql.7.0.4.nupkg

Npgsql is the open source .NET data provider for PostgreSQL.

Library home page: https://api.nuget.org/packages/npgsql.7.0.4.nupkg

Path to dependency file: /tests/Blogifier.Tests/Blogifier.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/npgsql/7.0.4/npgsql.7.0.4.nupkg

Dependency Hierarchy:

• npgsql.entityframeworkcore.postgresql.7.0.4.nupkg (Root Library)
  • ❌ npgsql.7.0.4.nupkg (Vulnerable Library)

Found in HEAD commit: 39ddcd5516c1d38b0f187e6b8e96b6f19ff19826

Found in base branch: main

Vulnerability Details

Npgsql is the .NET data provider for PostgreSQL. The WriteBind() method in src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs uses int variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. This vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and 8.0.3.

Publish Date: 2024-05-09

URL: CVE-2024-32655

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-32655

Release Date: 2024-05-09

Fix Resolution: Npgsql - 4.0.14,4.1.13,5.0.18,6.0.11,7.0.7,8.0.3