microsoft.azure.cognitiveservices.vision.computervision.7.0.1.nupkg: 1 vulnerabilities (highest severity is: 8.7) [master]

[mend-developer-platform-dev]

📂 Vulnerable Library - microsoft.azure.cognitiveservices.vision.computervision.7.0.1.nupkg

This client library provides access to the Microsoft Cognitive Services ComputerVision APIs.

Path to dependency file: /backend/extensions/Squidex.Extensions/Squidex.Extensions.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.azure.cognitiveservices.vision.computervision/7.0.1/microsoft.azure.cognitiveservices.vision.computervision.7.0.1.nupkg

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2019-0820	🔴 High	8.7	Not Defined	3.2%	system.text.regularexpressions.4.3.0.nupkg	Transitive	N/A	❌

Details

🔴CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /backend/src/Squidex/Squidex.csproj

Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

• Squidex.Domain.Apps.Entities.Tests-1.0.0 (Root Library)

  • Squidex.Extensions-1.0.0
    • windowsazure.storage.9.3.3.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

• windowsazure.storage.9.3.3.nupkg (Root Library)

  • netstandard.library.1.6.1.nupkg
    • system.xml.xdocument.4.3.0.nupkg
      • system.xml.readerwriter.4.3.0.nupkg
        • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

• Squidex.Extensions-1.0.0 (Root Library)

  • windowsazure.storage.9.3.3.nupkg
    • netstandard.library.1.6.1.nupkg
      • system.xml.xdocument.4.3.0.nupkg
        • system.xml.readerwriter.4.3.0.nupkg
          • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

• squidex.assets.imagesharp.6.19.0.nupkg (Root Library)

  • blurhash.imagesharp.3.0.0.nupkg
    • blurhash.core.2.0.0.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

• microsoft.azure.cognitiveservices.vision.computervision.7.0.1.nupkg (Root Library)

  • microsoft.rest.clientruntime.azure.3.3.18.nupkg
    • netstandard.library.1.6.1.nupkg
      • system.xml.xdocument.4.3.0.nupkg
        • system.xml.readerwriter.4.3.0.nupkg
          • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

---

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: May 16, 2019 06:17 PM

URL: CVE-2019-0820

Threat Assessment

Exploit Maturity:Not Defined

EPSS:3.2%

Score: 8.7

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: May 16, 2019 06:17 PM

Fix Resolution : System.Text.RegularExpressions - 4.3.1