Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-29331 - dotnet-watch depends on out of date System.Security.Cryptography.Pkcs #40974

Open
baronfel opened this issue May 17, 2024 · 1 comment
Open

CVE-2023-29331 - dotnet-watch depends on out of date System.Security.Cryptography.Pkcs #40974

baronfel opened this issue May 17, 2024 · 1 comment
Labels
Area-Watch untriaged Request triage from a team member

Comments

@baronfel
Copy link
Member

Describe the bug

A Trivy scan of the 8.0.300 SDK Docker image shows the following result:

mcr.microsoft.com/dotnet/sdk:8.0 (debian 12.5)
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/share/dotnet/sdk/8.0.300/DotnetTools/dotnet-watch/8.0.300-rtm.24224.16/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json (dotnet-core)
=========================================================================================================================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH     │ fixed  │ 7.0.0             │ 7.0.2, 6.0.3  │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│                                   │                │          │        │                   │               │ Certificates                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29331              │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

To Reproduce

>docker run aquasec/trivy i mcr.microsoft.com/dotnet/sdk:8.0 --ignore-unfixed
@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged Request triage from a team member label May 17, 2024
@baronfel
Copy link
Member Author

baronfel commented May 17, 2024
edited

dotnet/roslyn#73515 should fix this once it flows to the SDK.

@baronfel baronfel mentioned this issue May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Watch untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@baronfel