Comments (33)
Answers to a few of the outstanding questions:
CVE-2020-0606 / dotnet/announcements#149 - Should reference https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref?
Yes. This is somewhat analogous to the NetCore.App vs affected underlying component discussion.
CVE-2020-1045 / dotnet/announcements#165 - which https://www.nuget.org/packages/microsoft.owin packages are impacted?
The affected owin package is Microsoft.AspNetCore.Owin rather than Microsoft.Owin. Fixed version 3.1.8.
from advisory-database.
thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄
from advisory-database.
@shelbyc , CVE-2019-0546 was provided by mistake here. There are no impacted packages here. Feel free to remove.
from advisory-database.
The fix was not applied to 2.2 as that release went out of support in December 2019.
from advisory-database.
I'm now hitting this too - are we sure these versions are correct on Microsoft.Owin
(NuGet link)? There isn't a package 3.1.8 I can find on any feed after checking everywhere I know of...so I'm questioning if maybe some versions got mixed up here in the CG system? They are exactly the same versions as the line above with Microsoft.AspNetCore.App
so maybe a copy/paste thing? This is triggering build governance though so it's becoming a blocker issue for us - can we help resolve?
from advisory-database.
@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together.
@skofman1 might be the best contact there.
from advisory-database.
@darakian , @leecow -
regarding CVE-2019-0545 - https://www.nuget.org/packages/System.Net.Http doesn't have versions 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6
with 2.17
being the fix. Those versions are valid only for https://www.nuget.org/packages/Microsoft.NETCore.App. I imagine that the intent in the [.NET Announcement)(https://github.com/dotnet/announcements/issues/94) is that System.NET.Http has the underlining vulnerability that impacts Microsoft.NETCore.App, however, the version ranges are valid only for Microsoft.NETCore.App. @leecow , do we know which version ranges in System.NET.Http are impacted by this CVE? @darakian, I recommend updating the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.
Regarding CVE-2019-0546 - this is a data issue. Sorry about that.
Regarding CVE-2020-0606 / dotnet/announcements#149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ?
Regarding CVE-2020-1045 / dotnet/announcements#165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted?
@NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally.
from advisory-database.
@darakian , @leecow and I worked offline on CVE-2020-1045 and this is the full set of impacted packages (I updated the table above as well).
CVE | Title | Announcement date | CVE URL | Announcement URL | Impacted software | Vulnerable package id | Vulnerable version range | Fixed in version |
---|---|---|---|---|---|---|---|---|
CVE-2020-1045 | Microsoft ASP.NET Core Security Feature Bypass Vulnerability | 9/8/2020 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 | dotnet/announcements#165 | ASP.NET Core | Microsoft.AspNetCore.Http | [2.1.0, 2.1.1] | 2.1.22 |
CVE-2020-1045 | Microsoft ASP.NET Core Security Feature Bypass Vulnerability | 9/8/2020 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 | dotnet/announcements#165 | ASP.NET Core | Microsoft.AspNetCore.App.Ref | [3.1.0, 3.1.3] | 3.1.8 |
CVE-2020-1045 | Microsoft ASP.NET Core Security Feature Bypass Vulnerability | 9/8/2020 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 | dotnet/announcements#165 | ASP.NET Core | Microsoft.AspNetCore.Owin | [1.0.0, 3.1.7] | 3.1.8 |
from advisory-database.
@darakian , that's right. Microsoft.AspNetCore.Owin doesn't have version 2.1.22. https://www.nuget.org/packages/Microsoft.AspNetCore.Owin
from advisory-database.
//cc @leecow
from advisory-database.
Hey @skofman1, sorry for the delay, but we're now live-ish 🎉
A few notes.
Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App
in >= 2.1.0, < 2.1.7
with 2.1.7
as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http
. I've followed dotnet/announcements#94 for our advisory.
Similarly CVE-2019-0546 lists Microsoft.NETCore.App
and System.Net.Http
for the affected packages while
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546
Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Should this one be for Microsoft.NETCore.App
with the two ranges >= 2.1.0, < 2.1.7
& = 2.2.0
?
Currently holding off on publishing this one.
CVE-2020-0606 / dotnet/announcements#149
The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0.
for affected software and your notes list WindowsDesktop.App
which does not seem to exist
https://www.nuget.org/packages/WindowsDesktop.App
Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.
CVE-2020-1045 / dotnet/announcements#165
Similar affected software description and your note of Microsoft.Owin
is missing both fix versions (2.1.22
and 3.1.8
) that you suggest
https://www.nuget.org/packages/Microsoft.Owin
dotnet/aspnetcore#24264
lead me to Microsoft.AspNetCore.Http
for this.
Can I get a double check on that one as well?
Thank you so much for the great list and sorry again for the delay in getting this done 🙇
CC @taladrane
from advisory-database.
@darakian - looking at the questions.
RE: CVE-2019-0545 / dotnet/announcements#94, the announcement provides the following.
Package name | Vulnerable versions | Secure versions |
---|---|---|
Microsoft.NETCore.App (System.Net.Http) | 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.1.7 |
Microsoft.NETCore.App (System.Net.Http) | 2.2.0 | 2.2.1 |
This seems correct, though I may be missing something. Let me know. Ah, you're looking at the CVE. I could be misunderstanding the entry - it looks to define 2.1.0 through 2.1.6, inclusive and 2.2.0. Is that not correct?
from advisory-database.
Hey @leecow, the question I had about that one was with respect to @skofman1's list has Microsoft.NETCore.App
rather than System.Net.Http
. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect.
@NickCraver which advisory is blocking you?
from advisory-database.
@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated!
from advisory-database.
Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http).
from advisory-database.
@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that.
@leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case.
from advisory-database.
@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month.
from advisory-database.
@NickCraver and CG is breaking the build because the it detects Microsoft.Owin
in the offending range listed above?
from advisory-database.
@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :)
from advisory-database.
@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue.
from advisory-database.
@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted!
from advisory-database.
the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.
Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?
from advisory-database.
Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?
Yes, exactly.
from advisory-database.
Yes, exactly.
Thank you much. We're updated 👍
from advisory-database.
@leecow many thanks 👍 Those two advisories are now updated on our end.
from advisory-database.
@skofman1 many thanks for the update. Am I right in reading that last line that Microsoft.AspNetCore.Owin
does not have a fix version at 2.1.22
?
from advisory-database.
Fantastic. Thank you much and I've updated our advisory to reflect 👍
from advisory-database.
@skofman1
Looks like some of the details for dotnet/announcements#73 were not properly added in the advisory.
On GHSA-p9wx-v264-q34p, for System.ServiceModel.Duplex and System.ServiceModel.Security, it includes affected versions >= 4.0.0, < 4.1.3 with patched version 4.1.3, but the table above and the announcement say vulnerable versions are 4.0.0, 4.0.1 and 4.0.2, with secure version 4.0.4.
This caused us to get alerts from a dependency on Microsoft.NETCore.UniversalWindowsPlatform which I believe were false positives. I have submitted a suggestion for improvements in #574
from advisory-database.
Thank for reporting @lechacon !
@darakian , could you take a look pls?
from advisory-database.
@lechacon & @skofman1 sorry about that and sorry for the late reply (I was out for a few days). A colleague of mine has gone ahead and put those updates through. Let me know if you see anything else.
from advisory-database.
Regarding CVE-2019-0546 - this is a data issue. Sorry about that.
@skofman1 We're seeking clarification before deciding whether to publish or close. Is CVE-2019-0546 a valid vulnerability? Does it affect Microsoft.NETCore.App
and should we review this vulnerability/send out alerts? If CVE-2019-0546 only affects Microsoft Visual Studio, it doesn't affect a supported package and we can't review or alert on it.
from advisory-database.
Hello,
Can anyone verify that CVE-2020-1045 was permanently fixed for Mictosoft.AspNetCore.Http as of 2.1.22, and the higher versions, including versions 2.2.x no longer have this vulnerability? Sonatype is reporting this is still an active issue directly via support chat:
"""
For Microsoft.AspNetCore.Http:
So for the 2.1.x branch, we do have the vulnerable range closed off at 2.1.22 (not inclusive).
For the 2.2.x version, the advisory does not address this branch and we have found that it does have the vulnerable code in its versions. There are currently 5 2.2.x versions published to Nuget, the latest published on 2/12/2019, and all contain the vulnerable code. We are monitoring new releases of this component and will close off the vulnerable range for the 2.2.x branch should a fix ever be released for it.
"""
If you can verify, can you please provide documentation so I can try to get this updated? Thank you!
from advisory-database.
@leecow is that to say that all 2.2.x releases of Microsoft.AspNetCore.Http
are vulnerable? If so I can go ahead and update our advisory to reflect marking >= 2.2.0, <= 2.2.2
as vulnerable.
from advisory-database.
Related Issues (20)
- https://github.com/advisories/GHSA-257q-pv89-v3xv lists Nuget twice. HOT 2
- Inconsistent package identifier format for vulnerabilities in the Swift ecosystem HOT 1
- include advisories from Snyk HOT 3
- arduino-ide-extension marked as malware HOT 13
- List Perl as an environment HOT 8
- NPM IP package warning overstates danger HOT 2
- GHSA-5mwm-wccq-xqcp contains an incorrect reference HOT 3
- New Rails vulnerabilities have been disclosed. HOT 1
- www.google.com
- nogot HOT 1
- GHSA-cqhr-jqvc-qw9p has an invalid CVE id and appears to be a duplicate of GHSA-g66q-grxc-64j3 HOT 1
- Add C/C++ ecosystem like conan. HOT 1
- GHSA-5667-3wch-7q7w aka CVE-2024-1023 has wrong version range
- Haskell security advisory database (Hackage packages) HOT 3
- When you reload the site on your phone, Gone all the user icons HOT 1
- GHSA-8cp3-66vr-3r4c isn't considered a vulnerability by Synk HOT 1
- Request to review GHSA-7jmm-gqgx-fq9m
- Request to review GHSA-gwr8-m965-83p4
- A taks
- Version range of GHSA-95mg-jgfx-54v9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from advisory-database.