Reputation: 1365
Vulnerability in ASP.NET Core 6.0 Web API when the library is not directly installed?
I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.
To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1,System.IO.Packaging,NuGet.Protocol,SortedList is being used internally by the .NET 6.0 framework?
- Library: System.Formats.Asn1
- Vulnerability: CVE-2024-38095
- Severity: HIGH
- Installed Version: 6.0.0
- Fixed Version: 6.0.1, 8.0.1
Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers
https://avd.aquasec.com/nvd/cve-2024-38095
Upvotes: 1
Views: 334
Answers (1)
Reputation: 755197
Yes, it is used indirectly by .NET assemblies - I found this post about a new .NET 9 dotnet command, which happens to show how it works using exactly the assembly you mentioned ;-)
This is the link to that gentleman's LinkedIn profile
Upvotes: 2
Related Questions
- What is the difference between .NET Core and .NET Standard Class Library project types?
- Return file in ASP.Net Core Web API
- Upload files and JSON in ASP.NET Core Web API
- How to handle path traversal vulnerability in webpack-dev-middleware with Vue CLI dependency constraints?
- How to read values from the querystring with ASP.NET Core?
- JWT authentication for ASP.NET Web API
- VS writes references to the latest installed .NET Core SDK WinForms assemblies instead of the lowest version