database.1.0.0.nupkg: 6 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - database.1.0.0.nupkg

Path to dependency file: /ExpensesTrackerTests/ExpensesTrackerTests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/8.0.0/system.text.json.8.0.0.nupkg

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (database.1.0.0.nupkg version)	Remediation Possible**
CVE-2024-43485	High	7.5	system.text.json.8.0.0.nupkg	Transitive	N/A*	❌
CVE-2024-43484	High	7.5	system.io.packaging.6.0.0.nupkg	Transitive	N/A*	❌
CVE-2024-43483	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-30105	High	7.5	system.text.json.8.0.0.nupkg	Transitive	N/A*	❌
CVE-2024-35255	Medium	5.5	microsoft.identity.client.4.60.1.nupkg	Transitive	N/A*	❌
CVE-2024-27086	Low	3.9	microsoft.identity.client.4.60.1.nupkg	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-43485

Vulnerable Library - system.text.json.8.0.0.nupkg

Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.

Library home page: https://api.nuget.org/packages/system.text.json.8.0.0.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/8.0.0/system.text.json.8.0.0.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • microsoft.entityframeworkcore.sqlserver.8.0.4.nupkg
    • microsoft.data.sqlclient.5.2.0.nupkg
      • azure.identity.1.11.0.nupkg
        • ❌ system.text.json.8.0.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

.NET and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-10-08

URL: CVE-2024-43485

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8g4q-xg66-9fp4

Release Date: 2024-10-08

Fix Resolution: System.Text.Json - 6.0.10,8.0.5

Step up your Open Source Security Game with Mend here

CVE-2024-43484

Vulnerable Library - system.io.packaging.6.0.0.nupkg

Provides classes that support storage of multiple data objects in a single container.

Library home page: https://api.nuget.org/packages/system.io.packaging.6.0.0.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.io.packaging/6.0.0/system.io.packaging.6.0.0.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • core.1.0.0.nupkg
    • closedxml.0.102.2.nupkg
      • documentformat.openxml.2.16.0.nupkg
        • ❌ system.io.packaging.6.0.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-10-08

URL: CVE-2024-43484

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-43484

Release Date: 2024-10-08

Fix Resolution: System.IO.Packaging - 6.0.1,8.0.1,9.0.0-rc.2.24473.5

Step up your Open Source Security Game with Mend here

CVE-2024-43483

Vulnerable Libraries - system.io.packaging.6.0.0.nupkg, microsoft.extensions.caching.memory.8.0.0.nupkg

system.io.packaging.6.0.0.nupkg

Provides classes that support storage of multiple data objects in a single container.

Library home page: https://api.nuget.org/packages/system.io.packaging.6.0.0.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.io.packaging/6.0.0/system.io.packaging.6.0.0.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • core.1.0.0.nupkg
    • closedxml.0.102.2.nupkg
      • documentformat.openxml.2.16.0.nupkg
        • ❌ system.io.packaging.6.0.0.nupkg (Vulnerable Library)

microsoft.extensions.caching.memory.8.0.0.nupkg

In-memory cache implementation of Microsoft.Extensions.Caching.Memory.IMemoryCache.

Library home page: https://api.nuget.org/packages/microsoft.extensions.caching.memory.8.0.0.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.extensions.caching.memory/8.0.0/microsoft.extensions.caching.memory.8.0.0.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • microsoft.entityframeworkcore.sqlserver.8.0.4.nupkg
    • microsoft.entityframeworkcore.relational.8.0.4.nupkg
      • microsoft.entityframeworkcore.8.0.4.nupkg
        • ❌ microsoft.extensions.caching.memory.8.0.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-10-08

URL: CVE-2024-43483

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qj66-m88j-hmgj

Release Date: 2024-10-08

Fix Resolution: System.IO.Packaging - 6.0.1,8.0.1,9.0.0-rc.2.24473.5, Microsoft.Extensions.Caching.Memory - 6.0.2,8.0.1,9.0.0-rc.2.24473.5, System.Security.Cryptography.Cose - 8.0.1,9.0.0-rc.2.24473.5

Step up your Open Source Security Game with Mend here

CVE-2024-30105

Vulnerable Library - system.text.json.8.0.0.nupkg

Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.

Library home page: https://api.nuget.org/packages/system.text.json.8.0.0.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/8.0.0/system.text.json.8.0.0.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • microsoft.entityframeworkcore.sqlserver.8.0.4.nupkg
    • microsoft.data.sqlclient.5.2.0.nupkg
      • azure.identity.1.11.0.nupkg
        • ❌ system.text.json.8.0.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

.NET and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-30105

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hh2w-p6rv-4g7w

Release Date: 2024-07-09

Fix Resolution: System.Text.Json - 8.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-35255

Vulnerable Library - microsoft.identity.client.4.60.1.nupkg

This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).

Library home page: https://api.nuget.org/packages/microsoft.identity.client.4.60.1.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identity.client/4.60.1/microsoft.identity.client.4.60.1.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • microsoft.entityframeworkcore.sqlserver.8.0.4.nupkg
    • microsoft.data.sqlclient.5.2.0.nupkg
      • ❌ microsoft.identity.client.4.60.1.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Publish Date: 2024-06-11

URL: CVE-2024-35255

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m5vv-6r4h-3vj9

Release Date: 2024-06-11

Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0

Step up your Open Source Security Game with Mend here

CVE-2024-27086

Vulnerable Library - microsoft.identity.client.4.60.1.nupkg

This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).

Library home page: https://api.nuget.org/packages/microsoft.identity.client.4.60.1.nupkg

Path to dependency file: /Api/Api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identity.client/4.60.1/microsoft.identity.client.4.60.1.nupkg

Dependency Hierarchy:

• database.1.0.0.nupkg (Root Library)
  • microsoft.entityframeworkcore.sqlserver.8.0.4.nupkg
    • microsoft.data.sqlclient.5.2.0.nupkg
      • ❌ microsoft.identity.client.4.60.1.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability.
A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration. MSAL.NET version 4.60.1 includes the fix. As a workaround, a developer may explicitly mark the MSAL.NET activity non-exported.

Publish Date: 2024-04-16

URL: CVE-2024-27086

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x674-v45j-fwxw

Release Date: 2024-04-16

Fix Resolution: Microsoft.Identity.Client - 4.59.1,4.60.3

Step up your Open Source Security Game with Mend here