CVE-2024-0057 NuGet Pre Release packages

[sean-redmond]

IDs

CVE-2024-0057

Description

I noticed when installing dotnet-sdk-8.0 into an ubuntu:24.04 base image trivy is flagging the below, it looks to be the NuGet package tool flows in pre-release versions and trivy is flagging the versions as containing a CVE but it appears to already be resolved in the pre-release version

┌─────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging │ CVE-2024-0057 │ CRITICAL │ fixed │ 6.8.1-rc.32767 │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0057 │
└─────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘

Related items:

dotnet/sdk#40355
NuGet/Home#3606
NuGet/Home#2735

Reproduction Steps

1) Build a docker image with this:


FROM ubuntu:24.04
RUN apt update -y && apt dist-upgrade -y
RUN apt install -y aspnetcore-runtime-8.0 dotnet-sdk-8.0

2. Scan the resulting image.

### Target

Container Image

### Scanner

Vulnerability

### Target OS

ubuntu 24.04

### Debug Output

```bash
usr/lib/dotnet/sdk/8.0.105/Containers/tasks/net8.0/Microsoft.NET.Build.Containers.deps.json (dotnet-core)
=========================================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability │ Severity │ Status │ Installed Version │                  Fixed Version                   │                           Title                            │
├─────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging │ CVE-2024-0057 │ CRITICAL │ fixed  │ 6.8.1-rc.32767    │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│                 │               │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2024-0057                  │
└─────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘

Version

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest --version
Version: 0.49.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @sean-redmond
Thanks for your report!

We don't check sdk when scanning *.deps.json files. Therefore, we can't be sure that *.deps.json contains fixed version.

Nuget didn''t update version in *.deps.json (see dotnet/sdk#40355 (comment)).
Therefore, until new version is released, you can skip this *.deps.json file or CVE.
But i am guessing to use VEX to skip only CVE-2024-0057 for only 6.8.1-rc.32767 version.

Regards, Dmitriy