I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.
To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1
,System.IO.Packaging
,NuGet.Protocol
,SortedList
is being used internally by the .NET 6.0 framework?
- Library: System.Formats.Asn1
- Vulnerability: CVE-2024-38095
- Severity: HIGH
- Installed Version: 6.0.0
- Fixed Version: 6.0.1, 8.0.1
Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers
https://avd.aquasec.com/nvd/cve-2024-38095
You need to sign in to view this answers
Leave feedback about this