advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard

Published 20 hours ago verified publisher icon github

.NET / ASP .NET CVEs package vulnerabilities backfill

Open skofman1 opened this issue 2 years ago • 26 comments

Hi team!

We would like to backfill to the DB NuGet package vulnerabilities for 2017-2020. The list of vulnerabilities below are for .NET and ASP.NET Microsoft packages. Those already have CVEs and the impacted packages were specified in announcements published with each CVE in the .NET / ASP.NET Announcement repositories (https://github.com/dotnet/announcements/issues?q=is%3Aissue+is%3Aopen+cve , https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+cve).

Please let me know if additional details are needed. //cc @taladrane , @JonDouglas, @leecow

CVE Title Announcement date CVE URL Announcement URL Impacted software Vulnerable package id Vulnerable version range Fixed in version
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 https://github.com/aspnet/Announcements/issues/277 ASP.NET Core 2.0 Microsoft.AspNetCore.All 2.0.0 2.0.3
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 https://github.com/aspnet/Announcements/issues/277 ASP.NET Core 2.0 Microsoft.AspNetCore.Mvc.Core 2.0.0 2.0.1
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 https://github.com/aspnet/Announcements/issues/278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 https://github.com/aspnet/Announcements/issues/278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 https://github.com/aspnet/Announcements/issues/278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 https://github.com/aspnet/Announcements/issues/278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 https://github.com/aspnet/Announcements/issues/278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.HttpSys 2.0.0, 2.0.1 2.0.2
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 https://github.com/aspnet/Announcements/issues/279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 https://github.com/aspnet/Announcements/issues/279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 https://github.com/aspnet/Announcements/issues/279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 https://github.com/aspnet/Announcements/issues/279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 https://github.com/dotnet/announcements/issues/51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.1.0 4.1.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.1.1 2.1.2
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.2.0 2.2.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/385 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.12] 2.1.13
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/385 ASP.NET Core Microsoft.AspNetCore.All [2.2.0, 2.2.6] 2.2.7
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.Private.ServiceModel [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.Private.ServiceModel [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.Private.ServiceModel [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.Private.ServiceModel [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Duplex [4.0.0, 4.0.2] 4.0.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Duplex [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Duplex [4.4.0, 4.4.2] 4.4.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Duplex [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Http [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Http [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Http [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Http [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.NetTcp [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.NetTcp [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.NetTcp [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.NetTcp [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Primitives [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Primitives [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Primitives [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Primitives [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Security [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Security [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Security [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 https://github.com/dotnet/announcements/issues/73 .NET Core System.ServiceModel.Security [4.5.0, 4.5.1] 4.5.3
CVE-2018-8416 .NET Core Tampering Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8416 https://github.com/dotnet/announcements/issues/95 .NET Core 2.1 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0545 .NET Core Information Disclosure Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0545 https://github.com/dotnet/announcements/issues/94 .NET Core 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 https://github.com/dotnet/announcements/issues/95 .NET Core 2.1 and 2.3 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 https://github.com/dotnet/announcements/issues/95 .NET Core 2.1 and 2.3 System.Net.Http ? ?
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.1.0, 2.1.1 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.Kestrel.Core 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 System.Net.WebSockets.WebSocketProtocol 4.5.0, 4.5.1, 4.5.2 4.5.3
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 https://github.com/aspnet/Announcements/issues/334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 https://github.com/dotnet/announcements/issues/97 .NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 https://github.com/dotnet/announcements/issues/97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.7] 2.1.8
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 https://github.com/dotnet/announcements/issues/97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.2.0, 2.2.1] 2.2.2
CVE-2019-0980 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0980 https://github.com/dotnet/announcements/issues/112 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0981 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0981 https://github.com/dotnet/announcements/issues/113 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 https://github.com/aspnet/Announcements/issues/359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack [1.0.0, 1.0.4] 1.0.11
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 https://github.com/aspnet/Announcements/issues/359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack 1.1.0 1.1.5
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.1.0, 2.1.1 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.2.0 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.IIS 2.2.0, 2.2.1, 2.2.2 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.1.0, 2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.2.0, 2.2.5] 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.1.0,2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 https://github.com/aspnet/Announcements/issues/373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.2.0, 2.2.5] 2.2.6
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 https://github.com/aspnet/Announcements/issues/384 ASP.NET Core Microsoft.AspNetCore.SpaServices [2.1.0, 2.1.1] 2.1.2
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 https://github.com/aspnet/Announcements/issues/384 ASP.NET Core Microsoft.AspNetCore.SpaServices 2.2.0 2.2.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 https://github.com/aspnet/Announcements/issues/402 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 https://github.com/aspnet/Announcements/issues/402 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 https://github.com/aspnet/Announcements/issues/402 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 https://github.com/aspnet/Announcements/issues/402 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 https://github.com/aspnet/Announcements/issues/402 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 https://github.com/aspnet/Announcements/issues/403 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 https://github.com/aspnet/Announcements/issues/403 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 https://github.com/aspnet/Announcements/issues/403 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 https://github.com/aspnet/Announcements/issues/403 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 https://github.com/aspnet/Announcements/issues/403 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0606 .NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0606 https://github.com/dotnet/announcements/issues/149 .NET Core Microsoft.WindowsDesktop.App.Ref 3.0.1, 3.1.0 3.0.2, 3.1.1
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.Http [2.1.0, 2.1.1] 2.1.22
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.App.Ref [3.1.0, 3.1.3] 3.1.8
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.Owin [1.0.0, 3.1.7] 3.1.8

skofman1 avatar May 19 '22 19:05 skofman1

thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄

taladrane avatar May 19 '22 21:05 taladrane

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉

A few notes. Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App in >= 2.1.0, < 2.1.7 with 2.1.7 as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http. I've followed https://github.com/dotnet/announcements/issues/94 for our advisory.

Similarly CVE-2019-0546 lists Microsoft.NETCore.App and System.Net.Http for the affected packages while https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546 Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Should this one be for Microsoft.NETCore.App with the two ranges >= 2.1.0, < 2.1.7 & = 2.2.0? Currently holding off on publishing this one.

CVE-2020-0606 / https://github.com/dotnet/announcements/issues/149 The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0. for affected software and your notes list WindowsDesktop.App which does not seem to exist https://www.nuget.org/packages/WindowsDesktop.App Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.

CVE-2020-1045 / https://github.com/dotnet/announcements/issues/165 Similar affected software description and your note of Microsoft.Owin is missing both fix versions (2.1.22 and 3.1.8) that you suggest https://www.nuget.org/packages/Microsoft.Owin https://github.com/dotnet/aspnetcore/pull/24264 lead me to Microsoft.AspNetCore.Http for this. Can I get a double check on that one as well?

Thank you so much for the great list and sorry again for the delay in getting this done 🙇

CC @taladrane

darakian avatar Jul 08 '22 19:07 darakian

I'm now hitting this too - are we sure these versions are correct on Microsoft.Owin (NuGet link)? There isn't a package 3.1.8 I can find on any feed after checking everywhere I know of...so I'm questioning if maybe some versions got mixed up here in the CG system? They are exactly the same versions as the line above with Microsoft.AspNetCore.App so maybe a copy/paste thing? This is triggering build governance though so it's becoming a blocker issue for us - can we help resolve?

NickCraver avatar Jul 23 '22 13:07 NickCraver

@darakian - looking at the questions.

RE: CVE-2019-0545 / https://github.com/dotnet/announcements/issues/94, the announcement provides the following.

Package name Vulnerable versions Secure versions
Microsoft.NETCore.App (System.Net.Http) 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
Microsoft.NETCore.App (System.Net.Http) 2.2.0 2.2.1

~~This seems correct, though I may be missing something. Let me know.~~ Ah, you're looking at the CVE. I could be misunderstanding the entry - it looks to define 2.1.0 through 2.1.6, inclusive and 2.2.0. Is that not correct?

leecow avatar Jul 25 '22 16:07 leecow

Hey @leecow, the question I had about that one was with respect to @skofman1's list has Microsoft.NETCore.App rather than System.Net.Http. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect.

@NickCraver which advisory is blocking you?

darakian avatar Jul 25 '22 17:07 darakian

@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / https://github.com/advisories/GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated!

NickCraver avatar Jul 25 '22 17:07 NickCraver

Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http).

leecow avatar Jul 25 '22 17:07 leecow

@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that.

@leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case.

darakian avatar Jul 25 '22 20:07 darakian

@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month.

NickCraver avatar Jul 25 '22 20:07 NickCraver

@NickCraver and CG is breaking the build because the it detects Microsoft.Owin in the offending range listed above?

darakian avatar Jul 25 '22 20:07 darakian

@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :)

NickCraver avatar Jul 25 '22 20:07 NickCraver

@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together.

@skofman1 might be the best contact there.

darakian avatar Jul 25 '22 20:07 darakian

@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue.

NickCraver avatar Jul 25 '22 21:07 NickCraver

@darakian , @leecow - regarding CVE-2019-0545 - https://www.nuget.org/packages/System.Net.Http doesn't have versions 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 with 2.17 being the fix. Those versions are valid only for https://www.nuget.org/packages/Microsoft.NETCore.App. I imagine that the intent in the [.NET Announcement)(https://github.com/dotnet/announcements/issues/94) is that System.NET.Http has the underlining vulnerability that impacts Microsoft.NETCore.App, however, the version ranges are valid only for Microsoft.NETCore.App. @leecow , do we know which version ranges in System.NET.Http are impacted by this CVE? @darakian, I recommend updating the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

Regarding CVE-2020-0606 / https://github.com/dotnet/announcements/issues/149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ?

Regarding CVE-2020-1045 / https://github.com/dotnet/announcements/issues/165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted?

@NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally.

skofman1 avatar Jul 26 '22 17:07 skofman1

@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted!

NickCraver avatar Jul 26 '22 18:07 NickCraver

the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

darakian avatar Jul 26 '22 18:07 darakian

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

Yes, exactly.

skofman1 avatar Jul 26 '22 19:07 skofman1

Yes, exactly.

Thank you much. We're updated 👍

darakian avatar Jul 26 '22 19:07 darakian

Answers to a few of the outstanding questions:

CVE-2020-0606 / https://github.com/dotnet/announcements/issues/149 - Should reference https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref?

Yes. This is somewhat analogous to the NetCore.App vs affected underlying component discussion.

CVE-2020-1045 / https://github.com/dotnet/announcements/issues/165 - which https://www.nuget.org/packages/microsoft.owin packages are impacted?

The affected owin package is Microsoft.AspNetCore.Owin rather than Microsoft.Owin. Fixed version 3.1.8.

leecow avatar Jul 26 '22 23:07 leecow

@leecow many thanks 👍 Those two advisories are now updated on our end.

darakian avatar Jul 28 '22 22:07 darakian

@darakian , @leecow and I worked offline on CVE-2020-1045 and this is the full set of impacted packages (I updated the table above as well).

CVE Title Announcement date CVE URL Announcement URL Impacted software Vulnerable package id Vulnerable version range Fixed in version
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.Http [2.1.0, 2.1.1] 2.1.22
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.App.Ref [3.1.0, 3.1.3] 3.1.8
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 https://github.com/dotnet/announcements/issues/165 ASP.NET Core Microsoft.AspNetCore.Owin [1.0.0, 3.1.7] 3.1.8

skofman1 avatar Aug 03 '22 17:08 skofman1

@skofman1 many thanks for the update. Am I right in reading that last line that Microsoft.AspNetCore.Owin does not have a fix version at 2.1.22?

darakian avatar Aug 03 '22 19:08 darakian

@darakian , that's right. Microsoft.AspNetCore.Owin doesn't have version 2.1.22. https://www.nuget.org/packages/Microsoft.AspNetCore.Owin

image

skofman1 avatar Aug 03 '22 19:08 skofman1

Fantastic. Thank you much and I've updated our advisory to reflect 👍

darakian avatar Aug 03 '22 19:08 darakian

@skofman1 Looks like some of the details for dotnet/announcements#73 were not properly added in the advisory.

On https://github.com/advisories/GHSA-p9wx-v264-q34p, for System.ServiceModel.Duplex and System.ServiceModel.Security, it includes affected versions >= 4.0.0, < 4.1.3 with patched version 4.1.3, but the table above and the announcement say vulnerable versions are 4.0.0, 4.0.1 and 4.0.2, with secure version 4.0.4.

This caused us to get alerts from a dependency on Microsoft.NETCore.UniversalWindowsPlatform which I believe were false positives. I have submitted a suggestion for improvements in #574

florelis avatar Aug 08 '22 18:08 florelis

Thank for reporting @lechacon !

@darakian , could you take a look pls?

skofman1 avatar Aug 08 '22 18:08 skofman1

@lechacon & @skofman1 sorry about that and sorry for the late reply (I was out for a few days). A colleague of mine has gone ahead and put those updates through. Let me know if you see anything else.

darakian avatar Aug 18 '22 17:08 darakian

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

@skofman1 We're seeking clarification before deciding whether to publish or close. Is CVE-2019-0546 a valid vulnerability? Does it affect Microsoft.NETCore.App and should we review this vulnerability/send out alerts? If CVE-2019-0546 only affects Microsoft Visual Studio, it doesn't affect a supported package and we can't review or alert on it.

shelbyc avatar Sep 01 '22 19:09 shelbyc

@shelbyc , CVE-2019-0546 was provided by mistake here. There are no impacted packages here. Feel free to remove.

skofman1 avatar Sep 01 '22 22:09 skofman1

Hello,

Can anyone verify that CVE-2020-1045 was permanently fixed for Mictosoft.AspNetCore.Http as of 2.1.22, and the higher versions, including versions 2.2.x no longer have this vulnerability? Sonatype is reporting this is still an active issue directly via support chat:

""" For Microsoft.AspNetCore.Http:

So for the 2.1.x branch, we do have the vulnerable range closed off at 2.1.22 (not inclusive).

For the 2.2.x version, the advisory does not address this branch and we have found that it does have the vulnerable code in its versions. There are currently 5 2.2.x versions published to Nuget, the latest published on 2/12/2019, and all contain the vulnerable code. We are monitoring new releases of this component and will close off the vulnerable range for the 2.2.x branch should a fix ever be released for it. """

If you can verify, can you please provide documentation so I can try to get this updated? Thank you!

jeran-urban avatar Nov 22 '22 22:11 jeran-urban