MyPortal Web Based MIS
License: GNU General Public License v3.0
MyPortal is an open-source cloud-based school information management system (MIS). The MyPortal school MIS system is perfect the whole school community – from teachers, data administrators and staff, to students and parents.
A powerful, versatile, online school management system you can build and shape to meet every need.
Find MyPortal on Twitter at https://twitter.com/MyPortalEDU
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkgBouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: 8e09905872760a95953cf97231a344a6cd04f3bd
Found in base branch: master
Vulnerability Details
In BouncyCastle before 1.78, crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
Publish Date: 2024-03-24
URL: CVE-2024-30172
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2024-30172
Release Date: 2024-03-24
Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78
Step up your Open Source Security Game with Mend here
Vulnerable Library - microsoft.data.sqlclient.2.1.4.nupkgProvides the data provider for SQL Server. These classes provide access to versions of SQL Server an...
Library home page: https://api.nuget.org/packages/microsoft.data.sqlclient.2.1.4.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.data.sqlclient/2.1.4/microsoft.data.sqlclient.2.1.4.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Mend Note: Version 4.8.6 of System.Data.SqlClient was discovered to contain DLL components originated in a vulnerable Nuget version (System.Data.SqlClient-4.6.0), and therefore is alerted for CVE-2024-0056. Those components exist in the following paths: system.data.sqlclient.4.8.6\lib\net451\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\ref\net451\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\runtimes\win\lib\net451\System.Data.SqlClient.dll,system.data.sqlclient.4.8.6\runtimes\unix\lib\netstandard1.3\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\runtimes\win\lib\netstandard1.3\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\lib\net46\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\ref\net46\System.Data.SqlClient.dll, system.data.sqlclient.4.8.6\runtimes\win\lib\net46\System.Data.SqlClient.dll. Users of System.Data.SqlClient-4.8.6 that do not use any functionality originated in 4.6.0 are not affected.
Publish Date: 2024-01-09
URL: CVE-2024-0056
CVSS 3 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-98g6-xh36-x2p7
Release Date: 2024-01-09
Fix Resolution: Microsoft.Data.SqlClient - 2.1.7,3.1.5,4.0.5,5.1.3, System.Data.SqlClient - 4.8.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.protobuf.3.14.0.nupkgC# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.14.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.14.0/google.protobuf.3.14.0.nupkg
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Publish Date: 2022-01-26
URL: CVE-2021-22570
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-77rm-9x9h-xj3g
Release Date: 2022-01-26
Fix Resolution: Google.Protobuf - 3.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - microsoft.extensions.apidescription.server.3.0.0.nupkgMSBuild tasks and targets for build-time Swagger and OpenApi document generation
This package was b...
Library home page: https://api.nuget.org/packages/microsoft.extensions.apidescription.server.3.0.0.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.extensions.apidescription.server/3.0.0/microsoft.extensions.apidescription.server.3.0.0.nupkg
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). \n\nThe serialization and deserialization path have different properties regarding the issue.\n\nDeserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware.\n\nSerializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k.\n\nTo mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException:\n\n \nJsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };\n\n\nRepro code:\n\n//Create a string representation of an highly nested object (JSON serialized)\nint nRep = 25000;\nstring json = string.Concat(Enumerable.Repeat(\"{a:\", nRep)) + \"1\" +\n string.Concat(Enumerable.Repeat(\"}\", nRep));\n\n//Parse this object (leads to high CPU/RAM consumption)\nvar parsedJson = JsonConvert.DeserializeObject(json);\n\n// Methods below all throw stack overflow with nRep around 20k and higher\n// string a = parsedJson.ToString();\n// string b = JsonConvert.SerializeObject(parsedJson);\n\n\n### Additional affected product and version information\nThe original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**
Publish Date: 2022-06-22
URL: WS-2022-0161
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-06-22
Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.text.json.4.7.2.nupkgProvides high-performance and low-allocating types that serialize objects to JavaScript Object Notat...
Library home page: https://api.nuget.org/packages/system.text.json.4.7.2.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/4.7.2/system.text.json.4.7.2.nupkg
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
.NET Core and Visual Studio Denial of Service Vulnerability
Publish Date: 2024-07-09
URL: CVE-2024-30105
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hh2w-p6rv-4g7w
Release Date: 2024-07-09
Fix Resolution: System.Text.Json - 8.0.4
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - system.identitymodel.tokens.jwt.6.8.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.6.8.0.nupkg
Path to dependency file: /MyPortal.Database/MyPortal.Database.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/6.8.0/system.identitymodel.tokens.jwt.6.8.0.nupkg
Dependency Hierarchy:
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Path to dependency file: /MyPortal.Database/MyPortal.Database.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.8.0/microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 7b933494a6c719cc5303e996e176157f5bcccabc
Found in base branch: main
Vulnerability Details
Microsoft Identity Denial of service vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-21319
CVSS 3 Score Details (6.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-8g9c-28fc-mcx2
Release Date: 2024-01-09
Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - microsoft.extensions.apidescription.server.3.0.0.nupkgMSBuild tasks and targets for build-time Swagger and OpenApi document generation
This package was b...
Library home page: https://api.nuget.org/packages/microsoft.extensions.apidescription.server.3.0.0.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.extensions.apidescription.server/3.0.0/microsoft.extensions.apidescription.server.3.0.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
Publish Date: 2024-01-03
URL: CVE-2024-21907
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5crp-9r3c-p9vr
Release Date: 2024-01-03
Fix Resolution: Newtonsoft.Json - 13.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - azure.identity.1.8.0.nupkgThis is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.8.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.8.0/azure.identity.1.8.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Azure Identity Library for .NET Information Disclosure Vulnerability
Publish Date: 2024-04-09
URL: CVE-2024-29992
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wvxc-855f-jvrv
Release Date: 2024-04-09
Fix Resolution: Azure.Identity - 1.11.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkgBouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: 8e09905872760a95953cf97231a344a6cd04f3bd
Found in base branch: master
Vulnerability Details
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-09
URL: CVE-2024-29857
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.bouncycastle.org/latest_releases.html
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.drawing.common.4.7.0.nupkgProvides access to GDI+ graphics functionality.
Commonly Used Types:
System.Drawing.Bitmap
System.D...
Library home page: https://api.nuget.org/packages/system.drawing.common.4.7.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.drawing.common/4.7.0/system.drawing.common.4.7.0.nupkg
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
.NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26701.
Publish Date: 2021-02-25
URL: CVE-2021-24112
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxg9-xrhp-64gj
Release Date: 2021-02-25
Fix Resolution: System.Drawing.Common - 4.7.2,5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - nuget.protocol.5.11.0.nupkgNuGet's implementation for interacting with feeds. Contains functionality for all feed types.
Library home page: https://api.nuget.org/packages/nuget.protocol.5.11.0.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/nuget.protocol/5.11.0/nuget.protocol.5.11.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
NuGet Client Elevation of Privilege Vulnerability.
Publish Date: 2022-10-11
URL: CVE-2022-41032
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-11
Fix Resolution: NuGet.CommandLine - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Commands - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1;NuGet.Protocol - 4.9.6,5.7.3,5.9.3,5.11.3,6.0.3,6.2.2,6.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - microsoft.identity.client.4.60.3.nupkg, azure.identity.1.11.3.nupkg
This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).
Library home page: https://api.nuget.org/packages/microsoft.identity.client.4.60.3.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identity.client/4.60.3/microsoft.identity.client.4.60.3.nupkg
Dependency Hierarchy:
This is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.11.3.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.11.3/azure.identity.1.11.3.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: main
Vulnerability Details
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Publish Date: 2024-06-11
URL: CVE-2024-35255
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-m5vv-6r4h-3vj9
Release Date: 2024-06-11
Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.protobuf.3.14.0.nupkgC# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.14.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.14.0/google.protobuf.3.14.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-8gq9-2x98-w8hf
Release Date: 2022-09-22
Fix Resolution: protobuf-cpp - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.protobuf.3.14.0.nupkgC# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.14.0.nupkg
Path to dependency file: /MyPortal.Database/MyPortal.Database.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.14.0/google.protobuf.3.14.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Publish Date: 2022-01-26
URL: CVE-2021-22570
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-77rm-9x9h-xj3g
Release Date: 2022-01-26
Fix Resolution: Google.Protobuf - 3.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.text.regularexpressions.4.3.1.nupkgProvides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.1.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.1/system.text.regularexpressions.4.3.1.nupkg
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.text.regularexpressions.4.3.1.nupkgProvides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.1.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.1/system.text.regularexpressions.4.3.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - duende.identityserver.entityframework.storage.6.3.8.nupkg, duende.identityserver.6.3.8.nupkg
EntityFramework persistence layer for Duende IdentityServer
Library home page: https://api.nuget.org/packages/duende.identityserver.entityframework.storage.6.3.8.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/duende.identityserver.entityframework.storage/6.3.8/duende.identityserver.entityframework.storage.6.3.8.nupkg
Dependency Hierarchy:
OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
Library home page: https://api.nuget.org/packages/duende.identityserver.6.3.8.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/duende.identityserver/6.3.8/duende.identityserver.6.3.8.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: main
Vulnerability Details
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. Note: by itself, this vulnerability does not allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If upgrading is not possible, use IUrlHelper.IsLocalUrl from ASP.NET Core to validate return Urls in user interface code in the IdentityServer host.
Publish Date: 2024-07-31
URL: CVE-2024-39694
CVSS 3 Score Details (4.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-ff4q-64jc-gx98
Release Date: 2024-07-31
Fix Resolution: Duende.IdentityServer - 6.0.5,6.1.8,6.2.5,6.3.10,7.0.6, Duende.IdentityServer.EntityFramework.Storage - 6.0.5,6.1.8,6.2.5,6.3.10,7.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkgBouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: 8e09905872760a95953cf97231a344a6cd04f3bd
Found in base branch: master
Vulnerability Details
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).
Publish Date: 2024-03-24
URL: CVE-2024-30171
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-03-24
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78
Step up your Open Source Security Game with Mend here
Vulnerable Library - azure.identity.1.8.0.nupkgThis is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.8.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.8.0/azure.identity.1.8.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Azure Identity SDK Remote Code Execution Vulnerability
Publish Date: 2023-10-10
URL: CVE-2023-36414
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36414
Release Date: 2023-10-10
Fix Resolution: Azure.Identity - 1.10.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.drawing.common.4.7.0.nupkgProvides access to GDI+ graphics functionality.
Commonly Used Types:
System.Drawing.Bitmap
System.D...
Library home page: https://api.nuget.org/packages/system.drawing.common.4.7.0.nupkg
Path to dependency file: /MyPortal.Tests/MyPortal.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.drawing.common/4.7.0/system.drawing.common.4.7.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: main
Vulnerability Details
.NET Core Remote Code Execution Vulnerability
Publish Date: 2021-02-25
URL: CVE-2021-24112
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxg9-xrhp-64gj
Release Date: 2021-02-25
Fix Resolution: System.Drawing.Common - 4.7.2,5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - microsoft.extensions.apidescription.server.3.0.0.nupkgMSBuild tasks and targets for build-time Swagger and OpenApi document generation
This package was b...
Library home page: https://api.nuget.org/packages/microsoft.extensions.apidescription.server.3.0.0.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.extensions.apidescription.server/3.0.0/microsoft.extensions.apidescription.server.3.0.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). \n\nThe serialization and deserialization path have different properties regarding the issue.\n\nDeserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware.\n\nSerializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k.\n\nTo mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException:\n\n \nJsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };\n\n\nRepro code:\n\n//Create a string representation of an highly nested object (JSON serialized)\nint nRep = 25000;\nstring json = string.Concat(Enumerable.Repeat(\"{a:\", nRep)) + \"1\" +\n string.Concat(Enumerable.Repeat(\"}\", nRep));\n\n//Parse this object (leads to high CPU/RAM consumption)\nvar parsedJson = JsonConvert.DeserializeObject(json);\n\n// Methods below all throw stack overflow with nRep around 20k and higher\n// string a = parsedJson.ToString();\n// string b = JsonConvert.SerializeObject(parsedJson);\n\n\n### Additional affected product and version information\nThe original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**
Publish Date: 2022-06-22
URL: WS-2022-0161
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-06-22
Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - system.net.http.4.3.0.nupkgProvides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /MyPortalWeb/MyPortalWeb.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b3e63ef18aec174fe59510d358df3544a5366f19
Found in base branch: master
Vulnerability Details
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
