All ideas/devtools/Plataforma SaaS de análisis y remediación automática de vulnerabilidades en dependencias transitorias de proyectos .NET, con alertas y recomendaciones personalizadas.

GitHubB2Bdevtools

Plataforma SaaS de análisis y remediación automática de vulnerabilidades en dependencias transitorias de proyectos .NET, con alertas y recomendaciones personalizadas.

Scouted 6 hours ago

7.0/ 10

Overall score

Turn this signal into an edge

We help you build it, validate it, and get there first.

Go from idea to plan: who buys, what MVP to launch, how to validate it, and what to measure before spending months.

Extra context

Learn more about this idea

Get a clearer explanation of what the opportunity means, the current problem behind it, how this idea solves it, and the key concepts involved.

Score breakdown

Urgency8.0

Market size7.0

Feasibility7.0

Competition6.0

Pain point

Vulnerabilidades en dependencias transitorias de librerías .NET que no pueden ser corregidas automáticamente y son alcanzables, exponiendo información sensible.

Who'd pay for this

Equipos de desarrollo de software, empresas que mantienen proyectos en .NET, y departamentos de seguridad TI.

Source signal

"For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed."

Original post

netstandard.library.1.6.0.nupkg: 1 vulnerabilities (highest severity is: 7.5) reachable

Published: 6 hours ago

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - netstandard.library.1.6.0.nupkg</summary> Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Test/Google.Protobuf.Test.csproj Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.1.0/system.net.http.4.1.0.nupkg Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (netstandard.library.1.6.0.nupkg version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2018-8292](https://www.mend.io/vulnerability-database/CVE-2018-8292) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.5 | Not Defined | 6.8% | system.net.http.4.1.0.nupkg | Transitive | N/A* | ❌|<img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> Reachable | *For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> <img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> CVE-2018-8292</summary> ### Vulnerable Library - system.net.http.4.1.0.nupkg Provides a programming interface for modern HTTP applications, including HTTP client components that... Library home page: <a href="https://api.nuget.org/packages/system.net.http.4.1.0.nupkg">https://api.nuget.org/packages/system.net.http.4.1.0.nupkg</a> Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Test/Google.Protobuf.Test.csproj Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.1.0/system.net.http.4.1.0.nupkg Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.0.nupkg** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Reachability Analysis This vulnerability is potentially reachable ``` Google.Protobuf.ProtoDump.Program (Application) -> System.IO.File (Extension) -> System.IO.StreamReader (Extension) -> System.SR (Extension) ... -> System.IO.UnmanagedMemoryStream (Extension) -> System.Runtime.InteropServices.SafeBuffer (Extension) -> ❌ Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid (Vulnerable Component) ``` ### Vulnerability Details An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0. Publish Date: 2018-10-10 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2018-8292>CVE-2018-8292</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 6.8% ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. ### Suggested Fix Type: Upgrade version Release Date: 2018-10-10 Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1 </details>

View on github ↗