microsoft.aspnetcore.2.0.1.nupkg: 6 vulnerabilities (highest severity is: 8.8) reachable

[mend-for-github-com]

Vulnerable Library - microsoft.aspnetcore.2.0.1.nupkg

Microsoft.AspNetCore

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore/2.0.1/microsoft.aspnetcore.2.0.1.nupkg

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (microsoft.aspnetcore.2.0.1.nupkg version)	Remediation Possible**	Reachability
CVE-2018-0808	High	7.5	microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg	Transitive	N/A*	❌	Reachable
CVE-2017-11770	High	7.5	microsoft.aspnetcore.2.0.1.nupkg	Direct	1.0.8;1.1.5;2.0.3	✅	Reachable
CVE-2018-0787	High	8.8	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
WS-2018-0608	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
WS-2018-0607	High	7.5	microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg	Transitive	N/A*	❌	Unreachable
CVE-2021-1723	High	7.5	microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-0808

Vulnerable Library - microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg

ASP.NET Core components for working with the IIS AspNetCoreModule.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.iisintegration/2.0.1/microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • ❌ microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

dvcsharp_core_api.Program (Application)
  -> Microsoft.AspNetCore.WebHost (Extension)
   -> Microsoft.AspNetCore.Hosting.WebHostBuilderIISExtensions (Extension)
    -> ❌ Microsoft.AspNetCore.Server.IISIntegration.IISSetupFilter (Vulnerable Component)

Vulnerability Details

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784.

Publish Date: 2018-03-14

URL: CVE-2018-0808

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0808

Release Date: 2018-03-14

Fix Resolution: Microsoft.AspNetCore.Server.IISIntegration - 2.1.0, Microsoft.AspNetCore.Hosting - 2.1.0

CVE-2017-11770

Vulnerable Library - microsoft.aspnetcore.2.0.1.nupkg

Microsoft.AspNetCore

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore/2.0.1/microsoft.aspnetcore.2.0.1.nupkg

Dependency Hierarchy:

• ❌ microsoft.aspnetcore.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

dvcsharp_core_api.Program (Application)
  -> ❌ Microsoft.AspNetCore.WebHost (Vulnerable Component)

Vulnerability Details

.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate data, aka ".NET CORE Denial Of Service Vulnerability".

Publish Date: 2017-11-15

URL: CVE-2017-11770

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11770

Release Date: 2017-11-15

Fix Resolution: 1.0.8;1.1.5;2.0.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-0787

Vulnerable Libraries - microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg, microsoft.aspnetcore.httpoverrides.2.0.1.nupkg

microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Core components of ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.core/2.0.1/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg (Vulnerable Library)

microsoft.aspnetcore.httpoverrides.2.0.1.nupkg

ASP.NET Core basic middleware for supporting HTTP method overrides. Includes: * X-Forwarded-* headers to forward headers from a proxy. * HTTP method override header.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.httpoverrides.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.httpoverrides/2.0.1/microsoft.aspnetcore.httpoverrides.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.iisintegration.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.httpoverrides.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".

Publish Date: 2018-03-14

URL: CVE-2018-0787

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-14

Fix Resolution: Microsoft.AspNetCore.HttpOverrides - 2.0.2, Microsoft.AspNetCore.Server.Kestrel.Core - 2.0.2

WS-2018-0608

Vulnerable Libraries - microsoft.aspnetcore.server.kestrel.transport.abstractions.2.0.1.nupkg, microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg, microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg

microsoft.aspnetcore.server.kestrel.transport.abstractions.2.0.1.nupkg

Transport abstractions for the ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.transport.abstractions.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.transport.abstractions/2.0.1/microsoft.aspnetcore.server.kestrel.transport.abstractions.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg
      • ❌ microsoft.aspnetcore.server.kestrel.transport.abstractions.2.0.1.nupkg (Vulnerable Library)

microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Core components of ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.core/2.0.1/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg (Vulnerable Library)

microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg

Libuv transport for the ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.transport.libuv/2.0.1/microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.server.kestrel.transport.libuv.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A vulnerability was discovered in versions 2.x of ASP.NET Core where a specially crafted request can cause excess resource consumption in Kestrel.

Publish Date: 2018-05-08

URL: WS-2018-0608

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-08

Fix Resolution: Microsoft.AspNetCore.Server.Kestrel.Core - 2.0.3,2.1.0;Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions - 2.0.3,2.1.0;Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv - 2.0.3,2.1.0;Microsoft.AspNetCore.All - 2.0.8,2.1.0

WS-2018-0607

Vulnerable Library - microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Core components of ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.core/2.0.1/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Denial of service vulnerability in ASP.NET Core when a malformed request is terminated.

Publish Date: 2018-07-10

URL: WS-2018-0607

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-10

Fix Resolution: Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.2

CVE-2021-1723

Vulnerable Library - microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Core components of ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Path to dependency file: /dvcsharp-core-api.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.core/2.0.1/microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.2.0.1.nupkg (Root Library)
  • microsoft.aspnetcore.server.kestrel.2.0.1.nupkg
    • ❌ microsoft.aspnetcore.server.kestrel.core.2.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: b7d826b8731a37ecee6f45e17f6fd3f50a2a1ef8

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ASP.NET Core and Visual Studio Denial of Service Vulnerability

Publish Date: 2021-01-12

URL: CVE-2021-1723

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-1723

Release Date: 2021-01-12

Fix Resolution: Microsoft.AspNetCore.App.Runtime.win-arm64 - 5.0.2;LiveReloadServer - 1.1.0;Plugga.Core - 1.0.2;Maple.Branch.Module - 1.0.4;Microsoft.AspNetCore.Components.WebAssembly.Server - 5.0.1,5.0.0-rc.1.20451.17;AspNetCoreRuntime.5.0.x64 - 5.0.2;AspNetCoreRuntime.5.0.x86 - 5.0.2;Microsoft.AspNetCore.App.Runtime.osx-x64 - 5.0.2,3.1.10;GrazeDocs - 2.0.1;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 5.0.2;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 5.0.2,3.1.10;YHWins.Template - 1.1.0;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.10,5.0.2;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.10,5.0.2;Microsoft.AspNetCore.App.Ref - 3.1.10,6.0.0-rc.1.21452.15;Microsoft.AspNetCore.Blazor.DevServer - 3.2.0-preview1.20073.1,3.1.0-preview4.19579.2;Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.10,5.0.2;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.10,5.0.2;stankins.console - 2020.12.20-beta298;Toolbelt.Blazor.DevServer.WithCssLiveReloader - 5.0.1,5.0.0-rc.1.20451.17;DragonFire.Server - 0.0.1-alpha.0;PoExtractor.OrchardCore - 0.5.0-rc2-16220;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.10,5.0.2;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.10,5.0.2;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.10,5.0.2;HuLu.Template.Api - 1.0.2;AspNetCoreRuntime.3.1.x64 - 3.1.10;AspNetCoreRuntime.3.1.x86 - 3.1.10;Microsoft.AspNetCore.Components.WebAssembly.DevServer - 5.0.0-rc.1.20451.17,5.0.1;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.10;lingman-webapi - 0.0.18

---

⛑️Automatic Remediation will be attempted for this issue.