Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2023-29331 - dotnet-watch depends on out of date System.Security.Cryptography.Pkcs #40974

Open
baronfel opened this issue May 17, 2024 · 1 comment
Open

CVE-2023-29331 - dotnet-watch depends on out of date System.Security.Cryptography.Pkcs #40974

baronfel opened this issue May 17, 2024 · 1 comment
Labels
Area-Watch untriaged Request triage from a team member

Comments

@baronfel
Copy link
Member

Describe the bug

A Trivy scan of the 8.0.300 SDK Docker image shows the following result:

mcr.microsoft.com/dotnet/sdk:8.0 (debian 12.5)
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/share/dotnet/sdk/8.0.300/DotnetTools/dotnet-watch/8.0.300-rtm.24224.16/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json (dotnet-core)
=========================================================================================================================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH     │ fixed  │ 7.0.0             │ 7.0.2, 6.0.3  │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│                                   │                │          │        │                   │               │ Certificates                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29331              │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

To Reproduce

>docker run aquasec/trivy i mcr.microsoft.com/dotnet/sdk:8.0 --ignore-unfixed
@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged Request triage from a team member label May 17, 2024
@baronfel
Copy link
Member Author

baronfel commented May 17, 2024
edited
Loading

dotnet/roslyn#73515 should fix this once it flows to the SDK.

@baronfel baronfel mentioned this issue May 18, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Area-Watch untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@baronfel