I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.
To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1,System.IO.Packaging,NuGet.Protocol,SortedList is being used internally by the .NET 6.0 framework?
- Library: System.Formats.Asn1
- Vulnerability: CVE-2024-38095
- Severity: HIGH
- Installed Version: 6.0.0
- Fixed Version: 6.0.1, 8.0.1
Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers
https://avd.aquasec.com/nvd/cve-2024-38095
You need to sign in to view this answers
