system.text.json.8.0.3.nupkg: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Question

system.text.json.8.0.3.nupkg: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

mend-for-github-com opened this issue 6 months ago · 1 comments

mend-for-github-com commented 6 months ago

Vulnerable Library - system.text.json.8.0.3.nupkg

Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.

Library home page: https://api.nuget.org/packages/system.text.json.8.0.3.nupkg

Path to dependency file: /Vonage/Vonage.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/8.0.3/system.text.json.8.0.3.nupkg

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (system.text.json.8.0.3.nupkg version)	Remediation Possible**	Reachability
CVE-2024-30105	High	7.5	Unproven	0.0%	system.text.json.8.0.3.nupkg	Direct	System.Text.Json - 8.0.4	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-30105

Vulnerable Library - system.text.json.8.0.3.nupkg

Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.

Library home page: https://api.nuget.org/packages/system.text.json.8.0.3.nupkg

Path to dependency file: /Vonage/Vonage.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/8.0.3/system.text.json.8.0.3.nupkg

Dependency Hierarchy:

❌ system.text.json.8.0.3.nupkg (Vulnerable Library)

Found in base branch: main

Vulnerability Details

.NET Core and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-30105

Threat Assessment

Exploit Maturity: Unproven

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hh2w-p6rv-4g7w

Release Date: 2024-07-09

Fix Resolution: System.Text.Json - 8.0.4

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Answer 1 · 2024-07-16T08:01:08.000Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.