Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.NET / ASP .NET CVEs package vulnerabilities backfill #302

Closed
skofman1 opened this issue May 19, 2022 · 33 comments
Closed

.NET / ASP .NET CVEs package vulnerabilities backfill #302

skofman1 opened this issue May 19, 2022 · 33 comments

Comments

@skofman1
Copy link

skofman1 commented May 19, 2022

Hi team!

We would like to backfill to the DB NuGet package vulnerabilities for 2017-2020. The list of vulnerabilities below are for .NET and ASP.NET Microsoft packages. Those already have CVEs and the impacted packages were specified in announcements published with each CVE in the .NET / ASP.NET Announcement repositories (https://github.com/dotnet/announcements/issues?q=is%3Aissue+is%3Aopen+cve , https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+cve).

Please let me know if additional details are needed. //cc @taladrane , @JonDouglas, @leecow

CVE Title Announcement date CVE URL Announcement URL Impacted software Vulnerable package id Vulnerable version range Fixed in version
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 aspnet/Announcements#277 ASP.NET Core 2.0 Microsoft.AspNetCore.All 2.0.0 2.0.3
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 aspnet/Announcements#277 ASP.NET Core 2.0 Microsoft.AspNetCore.Mvc.Core 2.0.0 2.0.1
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.HttpSys 2.0.0, 2.0.1 2.0.2
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.1.0 4.1.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.1.1 2.1.2
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.2.0 2.2.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.12] 2.1.13
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.All [2.2.0, 2.2.6] 2.2.7
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.0.0, 4.0.2] 4.0.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.4.0, 4.4.2] 4.4.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.5.0, 4.5.1] 4.5.3
CVE-2018-8416 .NET Core Tampering Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8416 dotnet/announcements#95 .NET Core 2.1 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0545 .NET Core Information Disclosure Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0545 dotnet/announcements#94 .NET Core 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 dotnet/announcements#95 .NET Core 2.1 and 2.3 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 dotnet/announcements#95 .NET Core 2.1 and 2.3 System.Net.Http ? ?
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.1.0, 2.1.1 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.Kestrel.Core 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 System.Net.WebSockets.WebSocketProtocol 4.5.0, 4.5.1, 4.5.2 4.5.3
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.7] 2.1.8
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.2.0, 2.2.1] 2.2.2
CVE-2019-0980 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0980 dotnet/announcements#112 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0981 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0981 dotnet/announcements#113 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 aspnet/Announcements#359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack [1.0.0, 1.0.4] 1.0.11
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 aspnet/Announcements#359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack 1.1.0 1.1.5
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.1.0, 2.1.1 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.2.0 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.IIS 2.2.0, 2.2.1, 2.2.2 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.1.0, 2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.2.0, 2.2.5] 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.1.0,2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.2.0, 2.2.5] 2.2.6
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 aspnet/Announcements#384 ASP.NET Core Microsoft.AspNetCore.SpaServices [2.1.0, 2.1.1] 2.1.2
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 aspnet/Announcements#384 ASP.NET Core Microsoft.AspNetCore.SpaServices 2.2.0 2.2.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0606 .NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0606 dotnet/announcements#149 .NET Core Microsoft.WindowsDesktop.App.Ref 3.0.1, 3.1.0 3.0.2, 3.1.1
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.Http [2.1.0, 2.1.1] 2.1.22
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.App.Ref [3.1.0, 3.1.3] 3.1.8
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.Owin [1.0.0, 3.1.7] 3.1.8
@taladrane
Copy link
Collaborator

thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄

@darakian
Copy link
Contributor

darakian commented Jul 8, 2022

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉

A few notes.
Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App in >= 2.1.0, < 2.1.7 with 2.1.7 as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http. I've followed dotnet/announcements#94 for our advisory.

Similarly CVE-2019-0546 lists Microsoft.NETCore.App and System.Net.Http for the affected packages while
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546
Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Should this one be for Microsoft.NETCore.App with the two ranges >= 2.1.0, < 2.1.7 & = 2.2.0?
Currently holding off on publishing this one.

CVE-2020-0606 / dotnet/announcements#149
The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0. for affected software and your notes list WindowsDesktop.App which does not seem to exist
https://www.nuget.org/packages/WindowsDesktop.App
Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.

CVE-2020-1045 / dotnet/announcements#165
Similar affected software description and your note of Microsoft.Owin is missing both fix versions (2.1.22 and 3.1.8) that you suggest
https://www.nuget.org/packages/Microsoft.Owin
dotnet/aspnetcore#24264
lead me to Microsoft.AspNetCore.Http for this.
Can I get a double check on that one as well?

Thank you so much for the great list and sorry again for the delay in getting this done 🙇

CC @taladrane

@NickCraver
Copy link

I'm now hitting this too - are we sure these versions are correct on Microsoft.Owin (NuGet link)? There isn't a package 3.1.8 I can find on any feed after checking everywhere I know of...so I'm questioning if maybe some versions got mixed up here in the CG system? They are exactly the same versions as the line above with Microsoft.AspNetCore.App so maybe a copy/paste thing? This is triggering build governance though so it's becoming a blocker issue for us - can we help resolve?

@leecow
Copy link

leecow commented Jul 25, 2022

@darakian - looking at the questions.

RE: CVE-2019-0545 / dotnet/announcements#94, the announcement provides the following.

Package name Vulnerable versions Secure versions
Microsoft.NETCore.App (System.Net.Http) 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
Microsoft.NETCore.App (System.Net.Http) 2.2.0 2.2.1

This seems correct, though I may be missing something. Let me know. Ah, you're looking at the CVE. I could be misunderstanding the entry - it looks to define 2.1.0 through 2.1.6, inclusive and 2.2.0. Is that not correct?

@darakian
Copy link
Contributor

Hey @leecow, the question I had about that one was with respect to @skofman1's list has Microsoft.NETCore.App rather than System.Net.Http. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect.

@NickCraver which advisory is blocking you?

@NickCraver
Copy link

@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated!

@leecow
Copy link

leecow commented Jul 25, 2022

Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http).

@darakian
Copy link
Contributor

darakian commented Jul 25, 2022

@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that.

@leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case.

@NickCraver
Copy link

@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month.

@darakian
Copy link
Contributor

@NickCraver and CG is breaking the build because the it detects Microsoft.Owin in the offending range listed above?

@NickCraver
Copy link

@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :)

@darakian
Copy link
Contributor

@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together.

@skofman1 might be the best contact there.

@NickCraver
Copy link

@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue.

@skofman1
Copy link
Author

@darakian , @leecow -
regarding CVE-2019-0545 - https://www.nuget.org/packages/System.Net.Http doesn't have versions 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 with 2.17 being the fix. Those versions are valid only for https://www.nuget.org/packages/Microsoft.NETCore.App. I imagine that the intent in the [.NET Announcement)(https://github.com/dotnet/announcements/issues/94) is that System.NET.Http has the underlining vulnerability that impacts Microsoft.NETCore.App, however, the version ranges are valid only for Microsoft.NETCore.App. @leecow , do we know which version ranges in System.NET.Http are impacted by this CVE? @darakian, I recommend updating the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

Regarding CVE-2020-0606 / dotnet/announcements#149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ?

Regarding CVE-2020-1045 / dotnet/announcements#165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted?

@NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally.

@NickCraver
Copy link

NickCraver commented Jul 26, 2022

@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted!

@darakian
Copy link
Contributor

the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

@skofman1
Copy link
Author

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

Yes, exactly.

@darakian
Copy link
Contributor

Yes, exactly.

Thank you much. We're updated 👍

@leecow
Copy link

leecow commented Jul 26, 2022

Answers to a few of the outstanding questions:

CVE-2020-0606 / dotnet/announcements#149 - Should reference https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref?

Yes. This is somewhat analogous to the NetCore.App vs affected underlying component discussion.

CVE-2020-1045 / dotnet/announcements#165 - which https://www.nuget.org/packages/microsoft.owin packages are impacted?

The affected owin package is Microsoft.AspNetCore.Owin rather than Microsoft.Owin. Fixed version 3.1.8.

@darakian
Copy link
Contributor

@leecow many thanks 👍 Those two advisories are now updated on our end.

@skofman1
Copy link
Author

skofman1 commented Aug 3, 2022

@darakian , @leecow and I worked offline on CVE-2020-1045 and this is the full set of impacted packages (I updated the table above as well).

CVE Title Announcement date CVE URL Announcement URL Impacted software Vulnerable package id Vulnerable version range Fixed in version
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.Http [2.1.0, 2.1.1] 2.1.22
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.App.Ref [3.1.0, 3.1.3] 3.1.8
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.Owin [1.0.0, 3.1.7] 3.1.8

@darakian
Copy link
Contributor

darakian commented Aug 3, 2022

@skofman1 many thanks for the update. Am I right in reading that last line that Microsoft.AspNetCore.Owin does not have a fix version at 2.1.22?

@skofman1
Copy link
Author

skofman1 commented Aug 3, 2022

@darakian , that's right. Microsoft.AspNetCore.Owin doesn't have version 2.1.22. https://www.nuget.org/packages/Microsoft.AspNetCore.Owin

image

@darakian
Copy link
Contributor

darakian commented Aug 3, 2022

Fantastic. Thank you much and I've updated our advisory to reflect 👍

@florelis
Copy link

florelis commented Aug 8, 2022

@skofman1
Looks like some of the details for dotnet/announcements#73 were not properly added in the advisory.

On GHSA-p9wx-v264-q34p, for System.ServiceModel.Duplex and System.ServiceModel.Security, it includes affected versions >= 4.0.0, < 4.1.3 with patched version 4.1.3, but the table above and the announcement say vulnerable versions are 4.0.0, 4.0.1 and 4.0.2, with secure version 4.0.4.

This caused us to get alerts from a dependency on Microsoft.NETCore.UniversalWindowsPlatform which I believe were false positives. I have submitted a suggestion for improvements in #574

@skofman1
Copy link
Author

skofman1 commented Aug 8, 2022

Thank for reporting @lechacon !

@darakian , could you take a look pls?

@darakian
Copy link
Contributor

@lechacon & @skofman1 sorry about that and sorry for the late reply (I was out for a few days). A colleague of mine has gone ahead and put those updates through. Let me know if you see anything else.

@shelbyc
Copy link
Contributor

shelbyc commented Sep 1, 2022

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

@skofman1 We're seeking clarification before deciding whether to publish or close. Is CVE-2019-0546 a valid vulnerability? Does it affect Microsoft.NETCore.App and should we review this vulnerability/send out alerts? If CVE-2019-0546 only affects Microsoft Visual Studio, it doesn't affect a supported package and we can't review or alert on it.

@skofman1
Copy link
Author

skofman1 commented Sep 1, 2022

@shelbyc , CVE-2019-0546 was provided by mistake here. There are no impacted packages here. Feel free to remove.

@jeran-urban
Copy link

jeran-urban commented Nov 22, 2022

Hello,

Can anyone verify that CVE-2020-1045 was permanently fixed for Mictosoft.AspNetCore.Http as of 2.1.22, and the higher versions, including versions 2.2.x no longer have this vulnerability? Sonatype is reporting this is still an active issue directly via support chat:

"""
For Microsoft.AspNetCore.Http:

So for the 2.1.x branch, we do have the vulnerable range closed off at 2.1.22 (not inclusive).

For the 2.2.x version, the advisory does not address this branch and we have found that it does have the vulnerable code in its versions. There are currently 5 2.2.x versions published to Nuget, the latest published on 2/12/2019, and all contain the vulnerable code. We are monitoring new releases of this component and will close off the vulnerable range for the 2.2.x branch should a fix ever be released for it.
"""

If you can verify, can you please provide documentation so I can try to get this updated? Thank you!

@skofman1
Copy link
Author

//cc @leecow

@leecow
Copy link

leecow commented Nov 23, 2022

The fix was not applied to 2.2 as that release went out of support in December 2019.

@darakian
Copy link
Contributor

@leecow is that to say that all 2.2.x releases of Microsoft.AspNetCore.Http are vulnerable? If so I can go ahead and update our advisory to reflect marking >= 2.2.0, <= 2.2.2 as vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants