Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.NET / ASP .NET CVEs package vulnerabilities backfill #302

Open
skofman1 opened this issue May 19, 2022 · 2 comments
Open

.NET / ASP .NET CVEs package vulnerabilities backfill #302

skofman1 opened this issue May 19, 2022 · 2 comments

Comments

@skofman1
Copy link

@skofman1 skofman1 commented May 19, 2022

Hi team!

We would like to backfill to the DB NuGet package vulnerabilities for 2017-2020. The list of vulnerabilities below are for .NET and ASP.NET Microsoft packages. Those already have CVEs and the impacted packages were specified in announcements published with each CVE in the .NET / ASP.NET Announcement repositories (https://github.com/dotnet/announcements/issues?q=is%3Aissue+is%3Aopen+cve , https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+cve).

Please let me know if additional details are needed. //cc @taladrane , @JonDouglas, @leecow

CVE Title Announcement date CVE URL Announcement URL Impacted software Vulnerable package id Vulnerable version range Fixed in version
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 aspnet/Announcements#277 ASP.NET Core 2.0 Microsoft.AspNetCore.All 2.0.0 2.0.3
CVE-2017-11879 Open Redirect can cause Elevation Of Privilege 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879 aspnet/Announcements#277 ASP.NET Core 2.0 Microsoft.AspNetCore.Mvc.Core 2.0.0 2.0.1
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.WebListener 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.Net.Http.Server 1.1.0, 1.1.1, 1.1.2 ,1.1.3 1.1.4
CVE-2017-11883 Denial Of Service Vulnerability 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883 aspnet/Announcements#278 ASP.NET Core 1.0, 1.1 and 2.0. Microsoft.AspNetCore.Server.HttpSys 2.0.0, 2.0.1 2.0.2
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Core 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.0.6
CVE-2017-8700 CORS bypass can enable Information Disclosure 11/14/2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700 aspnet/Announcements#279 ASP.NET Core 1.0 and 1.1 Microsoft.AspNetCore.Mvc.Cors 1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4 1.1.6
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.4.0 4.4.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.3.0 4.3.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Primitives 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Http 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.NetTcp 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Duplex 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.ServiceModel.Security 4.1.0 4.1.1
CVE-2018-0786 Security Feature Bypass in X509 Certificate Validation 1/9/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786 dotnet/announcements#51 WCF packages for .NET Core 1.0 and 1.1, and 2.0 System.Private.ServiceModel 4.1.0 4.1.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.1.1 2.1.2
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.DataProtection.AzureStorage 2.2.0 2.2.1
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.12] 2.1.13
CVE-2018-8269 Denial of Service Vulnerability in Odata 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#385 ASP.NET Core Microsoft.AspNetCore.All [2.2.0, 2.2.6] 2.2.7
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.Private.ServiceModel [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.0.0, 4.0.2] 4.0.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.4.0, 4.4.2] 4.4.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Duplex [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Http [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.NetTcp [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Primitives [4.5.0, 4.5.1] 4.5.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.0.0, 4.1.1] 4.1.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.3.0, 4.3.1] 4.3.3
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.4.0, 4.4.2] 4.4.4
CVE-2018-8356 .NET Core Security Feature Bypass Vulnerability 7/10/2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356 dotnet/announcements#73 .NET Core System.ServiceModel.Security [4.5.0, 4.5.1] 4.5.3
CVE-2018-8416 .NET Core Tampering Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8416 dotnet/announcements#95 .NET Core 2.1 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0545 .NET Core Information Disclosure Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0545 dotnet/announcements#94 .NET Core 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.6] 2.1.7
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 dotnet/announcements#95 .NET Core 2.1 and 2.3 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0546 .NET Core Information Disclosure Vulnerability 1/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546 dotnet/announcements#95 .NET Core 2.1 and 2.3 System.Net.Http ? ?
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.WebSockets 2.1.0, 2.1.1 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.Kestrel.Core 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 System.Net.WebSockets.WebSocketProtocol 4.5.0, 4.5.1, 4.5.2 4.5.3
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.NETCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.2.0 2.2.1
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability 1/8/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564 aspnet/Announcements#334 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.1.0, 2.1.7] 2.1.8
CVE-2019-0657 .NET Core Domain Spoofing Vulnerability 2/12/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657 dotnet/announcements#97 .NET Core 1.0, 1.1, 2.1 and 2.2 Microsoft.NETCore.App [2.2.0, 2.2.1] 2.2.2
CVE-2019-0980 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0980 dotnet/announcements#112 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0981 .NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0981 dotnet/announcements#113 .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2 System.Private.Uri [4.3.0, 4.3.1] 4.3.2
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 aspnet/Announcements#359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack [1.0.0, 1.0.4] 1.0.11
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability 5/14/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982 aspnet/Announcements#359 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.SignalR.Protocols.MessagePack 1.1.0 1.1.5
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.1.0, 2.1.1 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.HttpSys 2.2.0 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.Server.IIS 2.2.0, 2.2.1, 2.2.2 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.1.0, 2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.All [2.2.0, 2.2.5] 2.2.6
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.1.0,2.1.11] 2.1.12
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability 7/9/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075 aspnet/Announcements#373 ASP.NET Core 2.1 and 2.2 Microsoft.AspNetCore.App [2.2.0, 2.2.5] 2.2.6
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 aspnet/Announcements#384 ASP.NET Core Microsoft.AspNetCore.SpaServices [2.1.0, 2.1.1] 2.1.2
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability 9/10/2019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302 aspnet/Announcements#384 ASP.NET Core Microsoft.AspNetCore.SpaServices 2.2.0 2.2.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602 aspnet/Announcements#402 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.Http.Connections [1.0.0, 1.0.4] 1.0.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App [2.1.0, 2.1.14] 2.1.15
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App 3.0.0 3.0.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.App 3.1.0 3.1.1
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603 aspnet/Announcements#403 ASP.NET Core Microsoft.AspNetCore.All [2.1.0, 2.1.14] 2.1.15
CVE-2020-0606 .NET Core Remote Code Execution Vulnerability 1/14/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0606 dotnet/announcements#149 .NET Core WindowsDesktop.App 3.0.1, 3.1.0 3.0.2, 3.1.1
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.Http 2.1.21 2.1.22
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.AspNetCore.App 3.1.7 3.1.8
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability 9/8/2020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045 dotnet/announcements#165 ASP.NET Core Microsoft.Owin 2.1.21, 3.1.7 2.1.22, 3.1.8
@taladrane
Copy link
Collaborator

@taladrane taladrane commented May 19, 2022

thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄

@darakian
Copy link
Contributor

@darakian darakian commented Jul 8, 2022

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉

A few notes.
Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App in >= 2.1.0, < 2.1.7 with 2.1.7 as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http. I've followed dotnet/announcements#94 for our advisory.

Similarly CVE-2019-0546 lists Microsoft.NETCore.App and System.Net.Http for the affected packages while
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546
Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Should this one be for Microsoft.NETCore.App with the two ranges >= 2.1.0, < 2.1.7 & = 2.2.0?
Currently holding off on publishing this one.

CVE-2020-0606 / dotnet/announcements#149
The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0. for affected software and your notes list WindowsDesktop.App which does not seem to exist
https://www.nuget.org/packages/WindowsDesktop.App
Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.

CVE-2020-1045 / dotnet/announcements#165
Similar affected software description and your note of Microsoft.Owin is missing both fix versions (2.1.22 and 3.1.8) that you suggest
https://www.nuget.org/packages/Microsoft.Owin
dotnet/aspnetcore#24264
lead me to Microsoft.AspNetCore.Http for this.
Can I get a double check on that one as well?

Thank you so much for the great list and sorry again for the delay in getting this done 🙇

CC @taladrane

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants