GHSA-g4vj-cjjj-v7hg
ADVISORY - githubSummary
Impact
This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.
Patches
NuGet
The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:
| Affected versions | Patched version |
|---|---|
| >= 4.9.0, <= 4.9.6 | 4.9.7 |
| >= 5.11.0, <= 5.11.6 | 5.11.7 |
| >= 6.8.0, <= 6.8.1 | 6.8.2 |
| >= 6.11.0, <= 6.11.1 | 6.11.2 |
| >= 6.12.0, <= 6.12.4 | 6.12.5 |
| >= 6.14.0, <= 6.14.2 | 6.14.3 |
| >= 7.0.0, <= 7.0.2 | 7.0.3 |
| 7.3.0 | 7.3.1 |
.NET SDK
- .NET 8.0.126 SDK
- .NET 8.0.420 SDK
- .NET 9.0.116 SDK
- .NET 9.0.313 SDK
- .NET 10.0.106 SDK
- .NET 10.0.202 SDK
Workarounds
N/A
References
https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr
Credit
Common Weakness Enumeration (CWE)
ADVISORY - github
Insufficient Verification of Data Authenticity
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-g4vj-cjjj-v7hg
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
N/Alowminimos
CREATED
UPDATED
ADVISORY ID
MINI-4vf5-5m57-gvpq
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-j2ch-rpf4-7pj5
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-