Vonage/vonage-dotnet-sdk

wiremock.net.1.5.60.nupkg: 1 vulnerabilities (highest severity is: 7.5)

mend-for-github-com opened this issue · 1 comments

Vulnerable Library - wiremock.net.1.5.60.nupkg

Path to dependency file: /Vonage.Test/Vonage.Test.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/5.0.0/system.formats.asn1.5.0.0.nupkg

Found in HEAD commit: 677e4341b05e2299365c0c8ac937c665ca6c4955

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (wiremock.net.1.5.60.nupkg version) Remediation Possible** Reachability
CVE-2024-38095 High 7.5 Unproven 0.1% system.formats.asn1.5.0.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-38095

Vulnerable Library - system.formats.asn1.5.0.0.nupkg

Provides classes that can read and write the ASN.1 BER, CER, and DER data formats.

Commonly Used Ty...

Library home page: https://api.nuget.org/packages/system.formats.asn1.5.0.0.nupkg

Path to dependency file: /Vonage.Test/Vonage.Test.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/5.0.0/system.formats.asn1.5.0.0.nupkg

Dependency Hierarchy:

  • wiremock.net.1.5.60.nupkg (Root Library)
    • wiremock.net.abstractions.1.5.60.nupkg
      • system.security.cryptography.x509certificates.4.3.0.nupkg
        • system.security.cryptography.cng.5.0.0.nupkg
          • system.formats.asn1.5.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 677e4341b05e2299365c0c8ac937c665ca6c4955

Found in base branch: main

Vulnerability Details

.NET and Visual Studio Denial of Service Vulnerability

Publish Date: 2024-07-09

URL: CVE-2024-38095

Threat Assessment

Exploit Maturity: Unproven

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-447r-wph3-92pm

Release Date: 2024-07-09

Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1

Non-relevant as it concerns a Test project which isn't part of the downloadable package