CVE-2024-43485

[calexander3]

CVE-2024-43485 is present in dotnet-monitor version 8.05 due to its use to System.Text.Json 8.0.4. This is fixed in #7473 but needs to be released

[github-actions]

Welcome to dotnet-monitor!

Thanks for creating your first issue; let us know what you think of dotnet-monitor by filling out our survey.

[jander-msft]

The dotnet-monitor tool packages do not contain the vulnerable System.Text.Json version but only have an entry in the dotnet-monitor.deps.json file. The library is provided by the shared runtime installation and is not part of the dotnet-monitor package itself.

If I install the tool locally:

> dotnet tool install --tool-path 'C:\tools' --version 8.0.5 dotnet-monitor
You can invoke the tool using the following command: dotnet-monitor
Tool 'dotnet-monitor' (version '8.0.5') was successfully installed.

and check for System.Text.Json.dll:

> cd C:\tools
> dir /s System.Text.Json.dll
 Volume in drive C is Local Disk
 Volume Serial Number is 0EE3-B1A0
File Not Found

The file does not exist.

However, if we check file contents:

> findstr /imspc:"System.Text.Json" *
.store\dotnet-monitor\8.0.5\dotnet-monitor\8.0.5\tools\net8.0\any\dotnet-monitor.deps.json
.store\dotnet-monitor\8.0.5\dotnet-monitor\8.0.5\tools\net8.0\any\extensions\AzureBlobStorage\dotnet-monitor-egress-azureblobstorage.deps.json
.store\dotnet-monitor\8.0.5\dotnet-monitor\8.0.5\tools\net8.0\any\extensions\S3Storage\dotnet-monitor-egress-s3storage.deps.json

It appears that the scanning tool that you've used is checking the entries in *.deps.json files rather than checking for the existence of the vulnerable files themselves. I would conclude that this is a false positive.

[calexander3]

Yes, that is true. It came from AWS ECR and listed the deps file as its detection method. Thanks for the clarification!