cube-soft / cube.core Goto Github PK

Vulnerable Library - system.private.uri.4.3.0.nupkg

Internal implementation package not meant for direct consumption. Please do not reference directly....

Library home page: https://api.nuget.org/packages/system.private.uri.4.3.0.nupkg

Path to vulnerable library: /packages/system.private.uri/4.3.0/system.private.uri.4.3.0.nupkg

Dependency Hierarchy:

• ❌ system.private.uri.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 15170da484d366175b3e70ba0b83b8fab75356fa

Vulnerability Details

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0980.

Publish Date: 2019-05-16

URL: CVE-2019-0981

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0981

Release Date: 2019-05-16

Fix Resolution: 4.3.2

Vulnerable Library - system.private.uri.4.3.0.nupkg

Internal implementation package not meant for direct consumption. Please do not reference directly....

Library home page: https://api.nuget.org/packages/system.private.uri.4.3.0.nupkg

Path to vulnerable library: /packages/system.private.uri/4.3.0/system.private.uri.4.3.0.nupkg

Dependency Hierarchy:

• ❌ system.private.uri.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 15170da484d366175b3e70ba0b83b8fab75356fa

Vulnerability Details

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0981.

Publish Date: 2019-05-16

URL: CVE-2019-0980

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0980

Release Date: 2019-05-16

Fix Resolution: 4.3.2

Vulnerable Libraries - log4net-2.0.8.0.dll, opencover.4.7.922.nupkg

Found in HEAD commit: 38e5989cefb3d13be89a15ab297370e8ae26770d

Found in base branch: master

Vulnerability Details

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Publish Date: 2020-05-11

URL: CVE-2018-1285

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/apache/logging-log4net/tree/rel/2.0.10

Release Date: 2020-05-11

Fix Resolution: log4net - 2.0.10

Vulnerable Library - system.private.uri.4.3.0.nupkg

Internal implementation package not meant for direct consumption. Please do not reference directly....

Library home page: https://api.nuget.org/packages/system.private.uri.4.3.0.nupkg

Path to vulnerable library: /packages/system.private.uri/4.3.0/system.private.uri.4.3.0.nupkg

Dependency Hierarchy:

• ❌ system.private.uri.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 15170da484d366175b3e70ba0b83b8fab75356fa

Vulnerability Details

A vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'.

Publish Date: 2019-03-05

URL: CVE-2019-0657

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/dotnet/corefx/issues/35265

Release Date: 2018-11-26

Fix Resolution: Microsoft.NETCore.App.nupkg - 2.1.8,2.2.2;System.Private.Uri.nupkg - 4.3.1

Vulnerable Library - opencover.4.7.1221.nupkg

An open source code coverage tool (branch and sequence point) for all .NET Frameworks 2 and above. A...

Library home page: https://api.nuget.org/packages/opencover.4.7.1221.nupkg

Path to dependency file: /Tests/FileSystem/Cube.FileSystem.Tests.csproj

Path to vulnerable library: /../packages/opencover/4.7.1221/opencover.4.7.1221.nupkg,/../packages/opencover/4.7.1221/opencover.4.7.1221.nupkg

Dependency Hierarchy:

• ❌ opencover.4.7.1221.nupkg (Vulnerable Library)

Found in HEAD commit: 298706ba8643d090cef86463b2aaea38eccf3eac

Found in base branch: master

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5crp-9r3c-p9vr

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: Cube.Core/Tests/FileSystem/Cube.FileSystem.Tests.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

• nunit3testadapter.3.17.0.nupkg (Root Library)
  • system.xml.xmldocument.4.3.0.nupkg
    • system.xml.readerwriter.4.3.0.nupkg
      • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 15170da484d366175b3e70ba0b83b8fab75356fa

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High