Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Latest 6.* and 7.* versions of Microsoft.VisualStudio.Web.CodeGeneration.Design result in vulnerable version of NuGet.Packaging being installed CVE-2024-0057. #2711

Open
Banner-Keith opened this issue Apr 12, 2024 · 1 comment

Comments

@Banner-Keith
Copy link

Consumers of the Microsoft.VisualStudio.Web.CodeGeneration.Design package that have not upgraded their projects to .net 8 yet will inadvertently end up with NuGet.Packaging 6.6.1 being installed which has a critical vulnerability CVE-2024-0057

Here is an example of the dependency tree that is resolved:

[email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]

And for .net 7
[email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]

Given that .net 6 and 7 are still supported both of those major versions should receive a new patch version without vulnerabilities in the transient dependencies.

The easiest solution I see:
Microsoft.DotNet.Scaffolding.Shared needs to have the reference to NuGet.ProjectModel updated to 6.6.2, 6.7.1, 6.8.1 or 6.9.1 and then that new patch version of Microsoft.DotNet.Scaffolding.Shared should be installed as the updated dependency in Microsoft.VisualStudio.Web.CodeGeneration.Design

@deepchoudhery
Copy link
Member

Yup will fix in the next servicing, tyty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants