Plataforma SaaS que automatice la detección, análisis de alcance y remediación de vulnerabilidades en dependencias directas y transitorias de proyectos de software.

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - <b>Google.Protobuf.Test-1.0.0</b></summary> <p></p> <p>Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Conformance/Google.Protobuf.Conformance.csproj</p> <p>Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/newtonsoft.json.9.0.1.nupkg</p> <p> <p>Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></p></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (Google.Protobuf.Test version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2019-0820](https://www.mend.io/vulnerability-database/CVE-2019-0820) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.5 | Not Defined | 2.7% | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A* | &#10060;|<p align="center"><img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> Reachable</p> | | [CVE-2024-21907](https://www.mend.io/vulnerability-database/CVE-2024-21907) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.5 | Not Defined | 2.3% | newtonsoft.json.9.0.1.nupkg | Transitive | N/A* | &#10060;|<p align="center"><img src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=19 height=20> Unreachable</p> | <p>*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.</p><p>**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation</p> ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> <img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> CVE-2019-0820</summary> ### Vulnerable Library - <b>system.text.regularexpressions.4.3.0.nupkg</b> <p>Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...</p> <p>Library home page: <a href="https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg">https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg</a></p> <p>Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Benchmarks/Google.Protobuf.Benchmarks.csproj</p> <p>Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg</p> <p> Dependency Hierarchy: - Google.Protobuf.Test-1.0.0 (Root Library) - microsoft.net.test.sdk.15.5.0.nupkg - microsoft.testplatform.testhost.15.5.0.nupkg - microsoft.testplatform.objectmodel.15.5.0.nupkg - system.xml.xpath.xmldocument.4.3.0.nupkg - system.xml.xmldocument.4.3.0.nupkg - system.xml.readerwriter.4.3.0.nupkg - :x: **system.text.regularexpressions.4.3.0.nupkg** (Vulnerable Library) <p>Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></p> <p>Found in base branch: <b>main</b></p> </p> <p></p> ### Reachability Analysis This vulnerability is potentially reachable ``` Google.Protobuf.JsonParser (Application) -> System.Text.RegularExpressions.Regex (Extension) -> System.Text.RegularExpressions.RegexRunner (Extension) -> ❌ System.Text.RegularExpressions.RegexMatchTimeoutException (Vulnerable Component) ``` </p> <p></p> ### Vulnerability Details <p> A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. <p>Publish Date: 2019-05-16 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2019-0820>CVE-2019-0820</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Not Defined</p> <p>EPSS: 2.7%</p> </p> <p></p> ### CVSS 3 Score Details (<b>7.5</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High </p> For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> ### Suggested Fix <p> <p>Type: Upgrade version</p> <p>Origin: <a href="https://github.com/advisories/GHSA-cmhx-cq75-c4mj">https://github.com/advisories/GHSA-cmhx-cq75-c4mj</a></p> <p>Release Date: 2019-05-16</p> <p>Fix Resolution: System.Text.RegularExpressions - 4.3.1</p> </p> <p></p> </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> <img src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=19 height=20> CVE-2024-21907</summary> ### Vulnerable Library - <b>newtonsoft.json.9.0.1.nupkg</b> <p>Json.NET is a popular high-performance JSON framework for .NET</p> <p>Library home page: <a href="https://api.nuget.org/packages/newtonsoft.json.9.0.1.nupkg">https://api.nuget.org/packages/newtonsoft.json.9.0.1.nupkg</a></p> <p>Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Test/Google.Protobuf.Test.csproj</p> <p>Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/newtonsoft.json.9.0.1.nupkg</p> <p> Dependency Hierarchy: - Google.Protobuf.Test-1.0.0 (Root Library) - microsoft.net.test.sdk.15.5.0.nupkg - microsoft.testplatform.testhost.15.5.0.nupkg - :x: **newtonsoft.json.9.0.1.nupkg** (Vulnerable Library) <p>Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></p> <p>Found in base branch: <b>main</b></p> </p> <p></p> ### Reachability Analysis <p>The vulnerable code is unreachable</p> </p> <p></p> ### Vulnerability Details <p> Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. <p>Publish Date: 2024-01-03 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2024-21907>CVE-2024-21907</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Not Defined</p> <p>EPSS: 2.3%</p> </p> <p></p> ### CVSS 3 Score Details (<b>7.5</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High </p> For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> ### Suggested Fix <p> <p>Type: Upgrade version</p> <p>Origin: <a href="https://github.com/advisories/GHSA-5crp-9r3c-p9vr">https://github.com/advisories/GHSA-5crp-9r3c-p9vr</a></p> <p>Release Date: 2024-01-03</p> <p>Fix Resolution: Newtonsoft.Json - 13.0.1</p> </p> <p></p> </details>