dotnet 6.0.26+ SDK NuGet.Packaging Dependencies Vulnerable? #40355
Labels
Milestone
Comments
dotnet-issue-labeler
bot
added
Area-NuGet
untriaged
|
FWIW, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 lists .NET 6.0.26 as the security update for this, and https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.26/6.0.26.md says CVE-2024-0057 is fixed there. The CVE-2024-0057 description specifically refers to "Microsoft .NET Framework-based applications". Does that include applications running on .NET 6 at all; or does the vulnerability only apply to applications that use NuGet libraries from .NET but run on .NET Framework? |
|
Yes, they both say the CVE is fixed in 6.0.26; however, the latest SDKs (e.g. 6.0.421) appears to have been built with cause vulnerability scanners to flag the SDK as vulnerable. |
|
Here is an example from Trivy |
|
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue! If you believe this issue was closed out of error, please comment to let us know. Happy Coding! |
|
This is not a NuGet issue. The SDK was built with a potentially vulnerable version of NuGet, so the SDK needs to update it's dependencies. |
|
This is actually an issue on the nuget side (as well as impacting other tools) tracked by this internal issue: https://github.com/NuGet/Client.Engineering/issues/2735 Because feeds don't handle stable versions well if you need a rebuild, nuget and other tools teams flow unstable versions into the SDK. Those binaries are identical. This allows them more consistency on the feed used. One recommendation is to change the branding to -rtm but that'll still be flagged by some scanners. We could try to modify the deps.json before shipping but that's a bit hacky. It'd be better to find a way to flow an unstable version in the main feed that wasn't a prerelease or find a way to flow the stable version. CC @nkolev92 as he was aware of the linked issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The dotnet 6.0 versions since 6.0.26 list the version of the NuGet.Packaging dependency in the SDK as
"NuGet.Packaging": "6.3.4-rc.2"inwhich evaluates as less than [1] the fixed version (6.3.4) in the advisory [2]. As a result, vulnerability scanners flag the latest SDK version (e.g. 6.0.421) as vulnerable to CVE-2024-0057 (Critical). I am not certain if NuGet.Packaging v6.3.4-rc.2 includes the fix for CVE-2024-0057, so I am not certain if the versions of dotnet since 6.0.26 are patched.
I see two approaches to resolving this issue:
References:
[1] - https://learn.microsoft.com/en-us/nuget/concepts/package-versioning?tabs=semver20sort#pre-release-versions
[2] - GHSA-68w7-72jg-6qpp
To Reproduce
N/A
Exceptions (if any)
N/A
Further technical details
N/A
The text was updated successfully, but these errors were encountered: