Plataforma SaaS de análisis y mitigación automática de vulnerabilidades en dependencias transitorias de proyectos .NET con recomendaciones y parches.

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - <b>nunit3testadapter.3.9.0.nupkg</b></summary> <p></p> <p>Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Conformance/Google.Protobuf.Conformance.csproj</p> <p>Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg</p> <p> <p>Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></p></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (nunit3testadapter.3.9.0.nupkg version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2019-0820](https://www.mend.io/vulnerability-database/CVE-2019-0820) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.5 | Not Defined | 2.7% | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A* | &#10060;|<p align="center"><img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> Reachable</p> | <p>*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.</p><p>**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation</p> ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> <img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> CVE-2019-0820</summary> ### Vulnerable Library - <b>system.text.regularexpressions.4.3.0.nupkg</b> <p>Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...</p> <p>Library home page: <a href="https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg">https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg</a></p> <p>Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Benchmarks/Google.Protobuf.Benchmarks.csproj</p> <p>Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg</p> <p> Dependency Hierarchy: - nunit3testadapter.3.9.0.nupkg (Root Library) - system.xml.xmldocument.4.3.0.nupkg - system.xml.readerwriter.4.3.0.nupkg - :x: **system.text.regularexpressions.4.3.0.nupkg** (Vulnerable Library) <p>Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></p> <p>Found in base branch: <b>main</b></p> </p> <p></p> ### Reachability Analysis This vulnerability is potentially reachable ``` System.Text.RegularExpressions.RegexMatchTimeoutException (Application) -> System.Text.RegularExpressions.RegexRunner (Extension) -> System.Text.RegularExpressions.Regex (Extension) -> ❌ Google.Protobuf.JsonParser (Vulnerable Component) ``` </p> <p></p> ### Vulnerability Details <p> A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. <p>Publish Date: 2019-05-16 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2019-0820>CVE-2019-0820</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Not Defined</p> <p>EPSS: 2.7%</p> </p> <p></p> ### CVSS 3 Score Details (<b>7.5</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High </p> For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> ### Suggested Fix <p> <p>Type: Upgrade version</p> <p>Origin: <a href="https://github.com/advisories/GHSA-cmhx-cq75-c4mj">https://github.com/advisories/GHSA-cmhx-cq75-c4mj</a></p> <p>Release Date: 2019-05-16</p> <p>Fix Resolution: System.Text.RegularExpressions - 4.3.1</p> </p> <p></p> </details>