1

I have an ASP.NET Core 6.0 Web API. I have implemented CI/CD to release changes and also integrated a vulnerability scanning tool (tviry) into the project to check for vulnerabilities in the code. Today, I came across a strange vulnerability in a library that is not installed in the project.

To fix the vulnerability, Of course, I can install the updated version (6.0.1), but I am unsure why this issue is being flagged in the code if this library is no longer present. Is it possible that this library, System.Formats.Asn1,System.IO.Packaging,NuGet.Protocol,SortedList is being used internally by the .NET 6.0 framework?

  • Library: System.Formats.Asn1
  • Vulnerability: CVE-2024-38095
  • Severity: HIGH
  • Installed Version: 6.0.0
  • Fixed Version: 6.0.1, 8.0.1

Title: dotnet: DoS when parsing X.509 Content and ObjectIdentifiers

https://avd.aquasec.com/nvd/cve-2024-38095

Improve this question
2
  • I am not a security expert, and I don't know if this library is used by the .Net internally, but if it is, you should probably update it and/or the library using it. Commented Oct 21, 2024 at 13:59
  • 3
    It seems like this might be a transitive dependency issue. One of your direct dependencies relies on it, so Trivy would detect it. Please check if any of your direct dependencies have newer versions available that you can update to. Commented Oct 21, 2024 at 14:02

1 Answer 1

Reset to default
2

Yes, it is used indirectly by .NET assemblies - I found this post about a new .NET 9 dotnet command, which happens to show how it works using exactly the assembly you mentioned ;-)

enter image description here

This is the link to that gentleman's LinkedIn profile

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.