Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.NET.Test.Sdk references NuGet.Frameworks containing CVE-2022-30184 #4409

Closed
Skoucail opened this issue Apr 21, 2023 · 2 comments
Closed

Microsoft.NET.Test.Sdk references NuGet.Frameworks containing CVE-2022-30184 #4409

Skoucail opened this issue Apr 21, 2023 · 2 comments
Labels
needs-triage This item should be discussed in the next triage meeting.

Comments

@Skoucail
Copy link

Description

Microsoft.NET.Test.Sdk references NuGet.Frameworks containing CVE-2022-30184
Might concider updating NuGet.Frameworks to a later version (6.2.1 or higher i believe).

Diagnostic logs

CVE-2022-30184
.NET and Visual Studio Information Disclosure Vulnerability.
NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References:
FEDORA - FEDORA-2022-5508547b1e
FEDORA - FEDORA-2022-cd37732349
MISC - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30184
Vulnerable Software & Versions: (show all)
cpe:2.3:a:microsoft:nuget:::::::: versions up to (excluding) 6.2.1

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30184

Environment

Project was build with:
<TargetFramework>netcoreapp3.1</TargetFramework>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.5.0" />
@microsoft-github-policy-service microsoft-github-policy-service bot added the needs-triage This item should be discussed in the next triage meeting. label Apr 21, 2023
@domwvitality
Copy link

Our security scanner is picking this up too.
Currently we're explicitly installing a later version which doesn't contain the vulnerability. Can the dependant version be upped so it requires a version of NuGet.Frameworks that doesn't contain the vulnerability?

nohwnd added a commit to nohwnd/vstest that referenced this issue May 31, 2023
@nohwnd
Bump Nuget.Frameworks to 6.2.1
d079e57 
Fix microsoft#4409
nohwnd added a commit to nohwnd/vstest that referenced this issue May 31, 2023
@nohwnd
Bump Nuget.Frameworks to 6.6.0
c5e0ed6 
Fix microsoft#4409
@nohwnd nohwnd mentioned this issue May 31, 2023
Merged
@nohwnd
Copy link
Member

nohwnd commented May 31, 2023

I am creating a patch for 17.6.1 that we will be servicing and releasing soon. Hopefully you can update to that.

nohwnd added a commit that referenced this issue May 31, 2023
@nohwnd
[rel/17.6] Update Nuget.Frameworks (#4500)
5121d9f 
Fix #4409
@cremor cremor mentioned this issue Jun 2, 2023
Open
@GianniKoch GianniKoch mentioned this issue Sep 4, 2023
Merged
@nohwnd nohwnd closed this as not planned Won't fix, can't repro, duplicate, stale Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage This item should be discussed in the next triage meeting.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nohwnd @Skoucail @domwvitality