CVE-2022-26907 (Medium) detected in microsoft.rest.clientruntime.2.3.8.nupkg

[mend-bolt-for-github]

CVE-2022-26907 - Medium Severity Vulnerability

Vulnerable Library - microsoft.rest.clientruntime.2.3.8.nupkg

Infrastructure for error handling, tracing, and HttpClient pipeline configuration. Required by clien...

Library home page: https://api.nuget.org/packages/microsoft.rest.clientruntime.2.3.8.nupkg

Path to dependency file: /src/poi/web/poi.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.rest.clientruntime/2.3.8/microsoft.rest.clientruntime.2.3.8.nupkg

Dependency Hierarchy:

• microsoft.aspnetcore.dataprotection.azurekeyvault.2.2.0.nupkg (Root Library)
  • microsoft.azure.keyvault.2.3.2.nupkg
    • microsoft.rest.clientruntime.azure.3.3.7.nupkg
      • ❌ microsoft.rest.clientruntime.2.3.8.nupkg (Vulnerable Library)

Found in HEAD commit: fbc3a9665f7473faa96484a3fa9b058ad82d7e60

Found in base branch: master

Vulnerability Details

Azure SDK for .NET Information Disclosure Vulnerability

Publish Date: 2022-04-15

URL: CVE-2022-26907

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26907

Release Date: 2022-04-15

Fix Resolution: Microsoft.Rest.ClientRuntime - 2.3.24

---

Step up your Open Source Security Game with Mend here