Vulnerability in ASP.NET Core 6.0 Web API when the library is not directly installed?
I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.
To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1,System.IO.Packaging,NuGet.Protocol,SortedList is being used internally by the .NET 6.0 framework?
- Library: System.Formats.Asn1
- Vulnerability: CVE-2024-38095
- Severity: HIGH
- Installed Version: 6.0.0
- Fixed Version: 6.0.1, 8.0.1
Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers
Yes, it is used indirectly by .NET assemblies - I found this post about a new .NET 9 dotnet command, which happens to show how it works using exactly the assembly you mentioned ;-)
This is the link to that gentleman's LinkedIn profile
- How to best utilize ASP .NET Membership database?
- how to secure my website
- Understanding CSRF
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript