NuGet package has dependency with known security vulnerabilities (Microsoft.AspNetCore.Hosting)

[older]

Describe your environment.

• SDK version: 2.14.0
• .NET runtime version (.NET or .NET Core, TargetFramework in the .csproj file): netcoreapp3.1
• Hosting Info (IIS/Azure WebApps/etc): IIS
• Platform and OS version: Windows Server 2019

Steps to reproduce.
Add Microsoft.ApplicationInsights.AspNetCore reference to your project. Look at transitive dependencies.

What is the expected behavior?
Reference to version of Microsoft.AspNetCore.Hosting without known security vulnerabilities (maybe latest from 1.0.x ?)

What is the actual behavior?
Reference to Microsoft.AspNetCore.Hosting 1.0.2 which is a version with security vulnerability.

Additional context.
I understand that this is probably can be fixed by using latest version of runtime in hosting, but this gets reported by security scanners as vulnerability in the project, so it is still good idea to use references on libraries without known security vulnerabilities.

[TimothyMothra]

Hello, thanks for reporting.
I'll be reviewing all of our compliance issues this month, including this.

[ghost]

Subscribed, because our package vulnerability gate is failing on this

[TimothyMothra]

@older, @quepasadiformaggio what tool are you using to detect this vulnerability?
The tool we're using hasn't identified this. It HAS identified other out of date packages so maybe it's a configuration issue.

I'm working on this issue this week and I'll reply to this thread when my PR has merged. You'll be able to grab our nightly build to validate.

[TimothyMothra]

Just merged this fix. It will be available tomorrow from our nightly builds.

[ghost]

We used WhiteSource bolt. You can find the message below.
Question: I'm not that familiar (yet) with GitHub & NuGet. How can we find the fixed version from NuGet? Latest I see is 2.15.0-beta2 which does not have this fix yet. Or do you mean that we grab the current develop branch from GitHub, build it locally and use in project to check wether it is fixed?

WhiteSource bolt message:
High7.5
CVE-2018-0808
Mar-14-2018
Microsoft.AspNetCore.Hosting-1.0.2.30217.dll
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784. Solution:
Upgrade to version Microsoft.AspNetCore.Server.IISIntegration - 2.1.0, Microsoft.AspNetCore.Hosting - 2.1.0
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0808

[cijothomas]

https://github.com/microsoft/ApplicationInsights-dotnet#nuget-packages - Nightly builds are available in myget feed: https://www.myget.org/F/applicationinsights-dotnet-nightly/api/v3/index.json

[ghost]

Thank you. I have run it again and get the same message but now for 1.1.3. Seems like upgrading to >= 2.1.0 will only fix the problem.

High7.5
CVE-2018-0808
Mar-14-2018
Microsoft.AspNetCore.Hosting-1.1.3.30908.dll
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784.
Upgrade to version Microsoft.AspNetCore.Server.IISIntegration - 2.1.0, Microsoft.AspNetCore.Hosting - 2.1.0
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0808

[vkpraveen]

Can we get any update on this?

[TimothyMothra]

@vkpraveen there's an open PR linked to this issue, you can monitor our progress there.
Upgrading this library breaks some of our tests. The only holdup is making the time to fully investigate what changed.
We're still planning on delivering this change with our next stable release (v2.15).

[TimothyMothra]

Hello all, we just merged the fix for this issue.
Sorry for the many delays.

We're going to start the next beta (v2.15.0-beta3) release tonight, but because of the holiday weekend, it likely won't be available until the middle of next week.