Vulnerable Library - OrchardCore.Application.Cms.Targets-1.8.0-preview
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (OrchardCore.Application.Cms.Targets version) |
Remediation Possible** |
CVE-2024-41131 |
High |
7.5 |
sixlabors.imagesharp.3.0.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-29857 |
High |
7.5 |
bouncycastle.cryptography.2.2.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-27929 |
High |
7.1 |
sixlabors.imagesharp.3.0.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-30172 |
Medium |
5.9 |
bouncycastle.cryptography.2.2.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-30171 |
Medium |
5.9 |
bouncycastle.cryptography.2.2.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-41132 |
Medium |
5.3 |
sixlabors.imagesharp.3.0.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-32036 |
Medium |
5.3 |
sixlabors.imagesharp.3.0.1.nupkg |
Transitive |
N/A* |
❌ |
CVE-2024-32035 |
Medium |
5.3 |
sixlabors.imagesharp.3.0.1.nupkg |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-41131
Vulnerable Library - sixlabors.imagesharp.3.0.1.nupkg
A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET
Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.3.0.1.nupkg
Path to dependency file: /src/OrchardCore.Cms.Web/OrchardCore.Cms.Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/3.0.1/sixlabors.imagesharp.3.0.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Media-1.8.0-preview
- SixLabors.ImageSharp.Web-3.0.1
- ❌ sixlabors.imagesharp.3.0.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9.
Publish Date: 2024-07-22
URL: CVE-2024-41131
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-63p8-c4ww-9cg7
Release Date: 2024-07-22
Fix Resolution: SixLabors.ImageSharp - 2.1.9,3.1.5
CVE-2024-29857
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkg
BouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /src/OrchardCore.Modules/OrchardCore.Notifications/OrchardCore.Notifications.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Email-1.8.0-preview
- OrchardCore.Email.Core-1.8.0-preview
- mailkit.4.3.0.nupkg
- mimekit.4.3.0.nupkg
- ❌ bouncycastle.cryptography.2.2.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-14
URL: CVE-2024-29857
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8xfc-gm6g-vgpv
Release Date: 2024-05-14
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
CVE-2024-27929
Vulnerable Library - sixlabors.imagesharp.3.0.1.nupkg
A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET
Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.3.0.1.nupkg
Path to dependency file: /src/OrchardCore.Cms.Web/OrchardCore.Cms.Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/3.0.1/sixlabors.imagesharp.3.0.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Media-1.8.0-preview
- SixLabors.ImageSharp.Web-3.0.1
- ❌ sixlabors.imagesharp.3.0.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
ImageSharp is a managed, cross-platform, 2D graphics library. A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure. This issue has been patched in versions 3.1.3 and 2.1.7.
Publish Date: 2024-03-05
URL: CVE-2024-27929
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-65x7-c272-7g7r
Release Date: 2024-03-05
Fix Resolution: SixLabors.ImageSharp - 2.1.7,3.1.3
CVE-2024-30172
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkg
BouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /src/OrchardCore.Modules/OrchardCore.Notifications/OrchardCore.Notifications.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Email-1.8.0-preview
- OrchardCore.Email.Core-1.8.0-preview
- mailkit.4.3.0.nupkg
- mimekit.4.3.0.nupkg
- ❌ bouncycastle.cryptography.2.2.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Publish Date: 2024-05-09
URL: CVE-2024-30172
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2024-30172
Release Date: 2024-03-24
Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78
CVE-2024-30171
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkg
BouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /src/OrchardCore.Modules/OrchardCore.Notifications/OrchardCore.Notifications.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Email-1.8.0-preview
- OrchardCore.Email.Core-1.8.0-preview
- mailkit.4.3.0.nupkg
- mimekit.4.3.0.nupkg
- ❌ bouncycastle.cryptography.2.2.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Publish Date: 2024-05-09
URL: CVE-2024-30171
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v435-xc8x-wvr9
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
CVE-2024-41132
Vulnerable Library - sixlabors.imagesharp.3.0.1.nupkg
A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET
Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.3.0.1.nupkg
Path to dependency file: /src/OrchardCore.Cms.Web/OrchardCore.Cms.Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/3.0.1/sixlabors.imagesharp.3.0.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Media-1.8.0-preview
- SixLabors.ImageSharp.Web-3.0.1
- ❌ sixlabors.imagesharp.3.0.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9.
Publish Date: 2024-07-22
URL: CVE-2024-41132
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-41132
Release Date: 2024-07-22
Fix Resolution: SixLabors.ImageSharp - 2.1.9,3.1.5
CVE-2024-32036
Vulnerable Library - sixlabors.imagesharp.3.0.1.nupkg
A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET
Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.3.0.1.nupkg
Path to dependency file: /src/OrchardCore.Cms.Web/OrchardCore.Cms.Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/3.0.1/sixlabors.imagesharp.3.0.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Media-1.8.0-preview
- SixLabors.ImageSharp.Web-3.0.1
- ❌ sixlabors.imagesharp.3.0.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8.
Publish Date: 2024-04-15
URL: CVE-2024-32036
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5x7m-6737-26cr
Release Date: 2024-04-15
Fix Resolution: SixLabors.ImageSharp - 2.1.8,3.1.4
CVE-2024-32035
Vulnerable Library - sixlabors.imagesharp.3.0.1.nupkg
A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET
Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.3.0.1.nupkg
Path to dependency file: /src/OrchardCore.Cms.Web/OrchardCore.Cms.Web.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/3.0.1/sixlabors.imagesharp.3.0.1.nupkg
Dependency Hierarchy:
- OrchardCore.Application.Cms.Targets-1.8.0-preview (Root Library)
- OrchardCore.Application.Cms.Core.Targets-1.8.0-preview
- OrchardCore.Media-1.8.0-preview
- SixLabors.ImageSharp.Web-3.0.1
- ❌ sixlabors.imagesharp.3.0.1.nupkg (Vulnerable Library)
Found in HEAD commit: 5279d43f2d4b5305c13128b14818d8a6bf21f5e0
Found in base branch: main
Vulnerability Details
ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in image decoders. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. This flaw can be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on ImageSharp for image processing tasks. Users and administrators are advised to update to the latest version of ImageSharp that addresses this vulnerability to mitigate the risk of exploitation. The problem has been patched in v3.1.4 and v2.1.8.
Publish Date: 2024-04-15
URL: CVE-2024-32035
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g85r-6x2q-45w7
Release Date: 2024-04-15
Fix Resolution: SixLabors.ImageSharp - 2.1.8,3.1.4