Vulnerability in ASP.NET Core 6.0 Web API when the library is not directly installed?
I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.
To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1,System.IO.Packaging,NuGet.Protocol,SortedList is being used internally by the .NET 6.0 framework?
- Library: System.Formats.Asn1
- Vulnerability: CVE-2024-38095
- Severity: HIGH
- Installed Version: 6.0.0
- Fixed Version: 6.0.1, 8.0.1
Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers
Yes, it is used indirectly by .NET assemblies - I found this post about a new .NET 9 dotnet command, which happens to show how it works using exactly the assembly you mentioned ;-)
This is the link to that gentleman's LinkedIn profile
- How to test mysqli's real_escape_string()?
- Enterprise SSO implementation for a company
- How do you protect your software from illegal distribution?
- Files.exists(path) and path.toFile().exists() give different results for the same file
- How should untrusted JSON be sanitized before using JSON.parse?
- How to hide API Keys in AndroidManifest.xml
- Does the TLS cert would require an common SAN
- Grails + Acegi: How to handle password renewal ? Logged vs not logged user
- keytool - see the public and private keys
- Run jar file with file in memory
- Finding or building a python security profiler
- Security considerations using "new Function(...)" (during rendertime, expression coming from my Javascript sources)
- File containing its own checksum
- Severe security constraints while tomcat 8 startup with liferay
- Is checking the referrer enough to protect against a CSRF attack?
- What is the Docker security risk of /var/run/docker.sock?
- Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
- What steps should I take to validate a SSL Certificate manually as browsers do?
- How to Exclude Specific Files (like .env) from GitHub Copilot in VS Code?
- difference between http.context.user and thread.currentprincipal and when to use them?
- Why does Google prepend while(1); to their JSON responses?
- is there a yarn alternative for npm audit?
- infinispan 9 '<eviction strategy="LRU" />' isn't an allowed element
- Block remote connection on SQL server and allow only local connection
- Trying to create Buffer overflow for an example for school in C++
- Simple server-side Flask session variable
- Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40
- How to send password securely over HTTP?
- How can i create an extension security hash code in Google chrome Secure Preferences file
- JavaScript source change detection