GHSA-g4vj-cjjj-v7hg

ADVISORY - github

Summary

Impact

This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.

Patches

NuGet

The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:

Affected versions	Patched version
>= 4.9.0, <= 4.9.6	4.9.7
>= 5.11.0, <= 5.11.6	5.11.7
>= 6.8.0, <= 6.8.1	6.8.2
>= 6.11.0, <= 6.11.1	6.11.2
>= 6.12.0, <= 6.12.4	6.12.5
>= 6.14.0, <= 6.14.2	6.14.3
>= 7.0.0, <= 7.0.2	7.0.3
7.3.0	7.3.1

.NET SDK

.NET 8.0.126 SDK
.NET 8.0.420 SDK
.NET 9.0.116 SDK
.NET 9.0.313 SDK
.NET 10.0.106 SDK
.NET 10.0.202 SDK

Workarounds

N/A

References

https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr

Credit

splitline with DEVCORE

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-345⁠

Insufficient Verification of Data Authenticity

Impacted images

Advisories

GitHub

CREATED

20 hours ago

UPDATED

20 hours ago

ADVISORY IDGHSA-g4vj-cjjj-v7hg⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-345⁠

CVSS SCORE

N/Alow

minimos

CREATED

5 hours ago

UPDATED

5 hours ago

ADVISORY ID

MINI-4vf5-5m57-gvpq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

5 hours ago

UPDATED

5 hours ago

ADVISORY ID

MINI-j2ch-rpf4-7pj5

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY