GithubHelp home page GithubHelp logo

rgbds2cil's People

Contributors

archanox avatar codacy-badger avatar dependabot[bot] avatar gitter-badger avatar mend-bolt-for-github[bot] avatar renovate[bot] avatar

Stargazers

avatar avatar avatar

Watchers

avatar

Forkers

gitter-badger

rgbds2cil's Issues

Nested IF parsing broken

Input assembly:

ld_long: MACRO
	IF STRLWR(""\1"") == ""a"" 
		; ld a, [$ff40]
		db $FA
		dw \2
	ELSE 
		IF STRLWR(""\2"") == ""a"" 
			; ld [$ff40], a
			db $EA
			dw \1
		ENDC
	ENDC
ENDM

Current c# output:

void Ld_Long(params object[] args)
{
	if (STRLWR("args[0]") == "a")
	{
		// ld a, [$ff40]
		/* db $FA */
		/* dw args[1] */
	}
	else
	{
		if (STRLWR("args[1]") == "a")
		{
			// ld [$ff40], a
			/* db $EA */
			/* dw args[0] */
			}
		// ld [$ff40], a
		/* db $EA */
		/* dw args[0] */
		}
	}
	}

Expected c# output:

void Ld_Long(params object[] args)
{
	if (STRLWR("args[0]") == "a")
	{
		// ld a, [$ff40]
		/* db $FA */
		/* dw args[1] */
	}
	else
	{
		if (STRLWR("args[1]") == "a")
		{
			// ld [$ff40], a
			/* db $EA */
			/* dw args[0] */
		}
	}
}

Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl: 36 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Pillow version) Remediation Available
CVE-2020-5311 High 9.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 6.2.2
CVE-2020-5312 High 9.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 6.2.2
CVE-2022-22817 High 9.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.0.0
CVE-2021-34552 High 9.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow-8.3.0
CVE-2021-25289 High 9.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.1
CVE-2022-24303 High 9.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.0.1
CVE-2021-25287 High 9.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2021-25288 High 9.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2020-5310 High 8.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 6.2.2
CVE-2020-11538 High 8.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 7.1.0
CVE-2020-10379 High 7.8 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 7.1.0
CVE-2019-19911 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 6.2.2
WS-2022-0097 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.0.0
CVE-2021-27923 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.1.2
CVE-2019-16865 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 6.2.0
CVE-2021-25290 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.1
CVE-2021-25291 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.1
CVE-2021-25293 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.1
CVE-2022-45198 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.2.0
CVE-2022-45199 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.3.0
CVE-2021-23437 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.3.2
CVE-2021-28676 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2021-28677 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2021-27921 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.1.2
CVE-2021-27922 High 7.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.1.2
CVE-2020-5313 High 7.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 6.2.2
CVE-2020-35653 High 7.1 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.0
CVE-2021-25292 Medium 6.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.1
CVE-2022-22815 Medium 6.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.0.0
CVE-2022-22816 Medium 6.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 9.0.0
CVE-2020-10994 Medium 5.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 7.1.0
CVE-2020-10378 Medium 5.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 7.1.0
CVE-2020-10177 Medium 5.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 7.1.0
CVE-2021-28675 Medium 5.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2021-28678 Medium 5.5 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct Pillow - 8.2.0
CVE-2020-35655 Medium 5.4 Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl Direct 8.1.0

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-5311

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

Publish Date: 2020-01-03

URL: CVE-2020-5311

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5311

Release Date: 2020-07-10

Fix Resolution: Pillow - 6.2.2

Step up your Open Source Security Game with Mend here

CVE-2020-5312

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.

Publish Date: 2020-01-03

URL: CVE-2020-5312

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312

Release Date: 2020-07-10

Fix Resolution: Pillow - 6.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-22817

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used,

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-34552

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Publish Date: 2021-07-13

URL: CVE-2021-34552

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

Release Date: 2021-07-13

Fix Resolution: Pillow-8.3.0

Step up your Open Source Security Game with Mend here

CVE-2021-25289

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

Publish Date: 2021-03-19

URL: CVE-2021-25289

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Step up your Open Source Security Game with Mend here

CVE-2022-24303

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Publish Date: 2022-03-28

URL: CVE-2022-24303

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j59-75qj-795w

Release Date: 2022-03-28

Fix Resolution: Pillow - 9.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-25287

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.

Publish Date: 2021-06-02

URL: CVE-2021-25287

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25287

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Step up your Open Source Security Game with Mend here

CVE-2021-25288

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.

Publish Date: 2021-06-02

URL: CVE-2021-25288

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25288

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Step up your Open Source Security Game with Mend here

CVE-2020-5310

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.

Publish Date: 2020-01-03

URL: CVE-2020-5310

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310

Release Date: 2020-01-31

Fix Resolution: Pillow - 6.2.2

Step up your Open Source Security Game with Mend here

CVE-2020-11538

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Publish Date: 2020-06-25

URL: CVE-2020-11538

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-27

Fix Resolution: 7.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-10379

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10379

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-27

Fix Resolution: 7.1.0

Step up your Open Source Security Game with Mend here

CVE-2019-19911

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.

Publish Date: 2020-01-05

URL: CVE-2019-19911

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-08-24

Fix Resolution: Pillow - 6.2.2

Step up your Open Source Security Game with Mend here

WS-2022-0097

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

Publish Date: 2022-03-11

URL: WS-2022-0097

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4fx9-vc88-q2xc

Release Date: 2022-03-11

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-27923

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
Mend Note: After conducting further research, Mend has determined that all versions of Pillow up to version 8.1.1 are vulnerable to CVE-2021-27923.

Publish Date: 2021-03-03

URL: CVE-2021-27923

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Step up your Open Source Security Game with Mend here

CVE-2019-16865

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Publish Date: 2019-10-04

URL: CVE-2019-16865

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16865

Release Date: 2019-10-04

Fix Resolution: 6.2.0

Step up your Open Source Security Game with Mend here

CVE-2021-25290

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Publish Date: 2021-03-19

URL: CVE-2021-25290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Step up your Open Source Security Game with Mend here

CVE-2021-25291

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

Publish Date: 2021-03-19

URL: CVE-2021-25291

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Step up your Open Source Security Game with Mend here

CVE-2021-25293

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Publish Date: 2021-03-19

URL: CVE-2021-25293

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Step up your Open Source Security Game with Mend here

CVE-2022-45198

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-45199

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.3.0

Step up your Open Source Security Game with Mend here

CVE-2021-23437

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Publish Date: 2021-09-03

URL: CVE-2021-23437

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Release Date: 2021-09-03

Fix Resolution: Pillow - 8.3.2

Step up your Open Source Security Game with Mend here

CVE-2021-28676

Vulnerable Library - Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/ae/2a/0a0ab2833e5270664fb5fae590717f867ac6319b124160c09f1d3291de28/Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Path to vulnerable library: /Assembly/telefang/rip_scripts/sheets/web_preview/requirements.txt

Dependency Hierarchy:

  • Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9e0d344ff5470d9a7c9bf05b48efd265ddd017aa

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Publish Date: 2021-06-02

URL: CVE-2021-28676

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28676

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Step up your Open Source Security Game with Mend here

Missing Macro parameters

Argument count is not being detected prior to creating the function definition.
Likely cause is the nested if/rept .Lines collection.

xunit-2.5.1: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit-2.5.1

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: 2dda2366952dd4a835dea6f0f60f55eae8d921b3

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit version) Remediation Possible**
CVE-2018-8292 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A*
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit-2.5.1 (Root Library)
    • xunit.assert-2.5.1
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 2dda2366952dd4a835dea6f0f60f55eae8d921b3

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit-2.5.1 (Root Library)
    • xunit.assert-2.5.1
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 2dda2366952dd4a835dea6f0f60f55eae8d921b3

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

xunit.2.5.0.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.5.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: 3a7d4673949ec8ebff4cf520b409a8591ba4c3c6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit.2.5.0.nupkg version) Remediation Possible**
CVE-2018-8292 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A*
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.5.0.nupkg (Root Library)
    • xunit.assert.2.5.0.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 3a7d4673949ec8ebff4cf520b409a8591ba4c3c6

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.5.0.nupkg (Root Library)
    • xunit.assert.2.5.0.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 3a7d4673949ec8ebff4cf520b409a8591ba4c3c6

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

xunit.2.5.1.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.5.1.nupkg

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: c5b3d778ed8b3543109bf5f7047e17ffe9677e14

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit.2.5.1.nupkg version) Remediation Possible**
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*
CVE-2018-8292 Medium 5.5 system.net.http.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.5.1.nupkg (Root Library)
    • xunit.assert.2.5.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: c5b3d778ed8b3543109bf5f7047e17ffe9677e14

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.5.1.nupkg (Root Library)
    • xunit.assert.2.5.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: c5b3d778ed8b3543109bf5f7047e17ffe9677e14

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

Create OutputLine

Add to the interface that all codeline types need to implement a csharp output method.
Add a default implementation of commented out line.

xunit.2.4.2.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.4.2.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: 260a7c8cbdb9d4cf6b7cae0d037a7aab343c46ff

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit.2.4.2.nupkg version) Remediation Available
CVE-2018-8292 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A*
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.2.nupkg (Root Library)
    • xunit.assert.2.4.2.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 260a7c8cbdb9d4cf6b7cae0d037a7aab343c46ff

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.2.nupkg (Root Library)
    • xunit.assert.2.4.2.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 260a7c8cbdb9d4cf6b7cae0d037a7aab343c46ff

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

coverlet.collector.6.0.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - coverlet.collector.6.0.0.nupkg

Coverlet is a cross platform code coverage library for .NET, with support for line, branch and method coverage.

Library home page: https://api.nuget.org/packages/coverlet.collector.6.0.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/coverlet.collector/6.0.0/coverlet.collector.6.0.0.nupkg

Found in HEAD commit: ebd5af7a5bf9816d96f278d1a01a0e9391a8684b

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (coverlet.collector.6.0.0.nupkg version) Remediation Possible**
CVE-2024-21907 High 7.5 coverlet.collector.6.0.0.nupkg Direct Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21907

Vulnerable Library - coverlet.collector.6.0.0.nupkg

Coverlet is a cross platform code coverage library for .NET, with support for line, branch and method coverage.

Library home page: https://api.nuget.org/packages/coverlet.collector.6.0.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/coverlet.collector/6.0.0/coverlet.collector.6.0.0.nupkg

Dependency Hierarchy:

  • coverlet.collector.6.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: ebd5af7a5bf9816d96f278d1a01a0e9391a8684b

Found in base branch: master

Vulnerability Details

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

Publish Date: 2024-01-03

URL: CVE-2024-21907

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5crp-9r3c-p9vr

Release Date: 2024-01-03

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/codacy-analysis.yml
  • actions/checkout v4
  • codacy/codacy-analysis-cli-action v4.4.0
  • github/codeql-action v3
.github/workflows/codacy-coverage-reporter.yaml
  • b3b00/coverlet-action 1.2.9
.github/workflows/codeql-analysis.yml
  • actions/checkout v4
  • actions/setup-dotnet v4
  • github/codeql-action v3
  • github/codeql-action v3
  • github/codeql-action v3
.github/workflows/codeql.yml
  • actions/checkout v4
  • github/codeql-action v3
  • github/codeql-action v3
  • github/codeql-action v3
.github/workflows/dotnet.yml
  • actions/checkout v4
  • actions/setup-dotnet v4
  • codecov/codecov-action v4
  • zyborg/dotnet-tests-report v1.4.4
.github/workflows/gitguardian.yml
  • actions/checkout v4
nuget
RGBDS2CIL/RGBDS2CIL.csproj
  • Newtonsoft.Json 13.0.3
  • Microsoft.CodeAnalysis.CSharp.Scripting 4.8.0
  • Lokad.ILPack 0.2.0
  • CodeCracker.CSharp 1.1.0
Tests/Tests.csproj
  • coverlet.collector 6.0.0
  • xunit.runner.visualstudio 2.5.7
  • xunit 2.7.0
  • Microsoft.NET.Test.Sdk 17.9.0
  • Check this box to trigger a request for Renovate to run again on this repository

Import binary data from external file

Could not include binary, baserom.gb

Add support for second and third params for INCBIN to accept offset and length of binary to include

INCBIN "baserom.gb", $43, $48 - $43

xunit.2.6.4.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.6.4.nupkg

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit.2.6.4.nupkg version) Remediation Possible**
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*
CVE-2018-8292 Medium 5.5 system.net.http.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.6.4.nupkg (Root Library)
    • xunit.core.2.6.4.nupkg
      • xunit.extensibility.core.2.6.4.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.xml.xdocument.4.3.0.nupkg
            • system.xml.readerwriter.4.3.0.nupkg
              • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /Tests/Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.6.4.nupkg (Root Library)
    • xunit.core.2.6.4.nupkg
      • xunit.extensibility.core.2.6.4.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

Add Blargg and Mooneye tests as unit tests

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.