Git Product home page Git Product logo

akka.persistence.oracle's Introduction

Akka.Persistence.Oracle

Akka.NET Persistence journal and snapshot store backed by Oracle ODP.NET

Codacy Badge Build Status NuGet Downloads FOSSA Status

Configuration

Both journal and snapshot store share the same configuration keys (however they resides in separate scopes, so they are defined distinctly for either journal or snapshot store):

Remember that connection string must be provided separately to Journal and Snapshot Store.

akka.persistence {

    journal {
        plugin = "akka.persistence.journal.oracle"
        oracle {
            # qualified type name of the Oracle persistence journal actor
            class = "Akka.Persistence.Oracle.Journal.OracleJournal, Akka.Persistence.Oracle"

            # dispatcher used to drive journal actor
            plugin-dispatcher = "akka.actor.default-dispatcher"

            # connection string used for database access
            connection-string = ""

            # connection string name for .config file used when no connection string has been provided
            connection-string-name = ""

            # default SQL commands timeout
            connection-timeout = 30s

            # Oracle schema name to table corresponding with persistent journal
            schema-name = SYSTEM

            # Oracle table corresponding with persistent journal
            table-name = EVENTJOURNAL

            # should corresponding journal table be initialized automatically
            auto-initialize = off

            # timestamp provider used for generation of journal entries timestamps
            timestamp-provider = "Akka.Persistence.Sql.Common.Journal.DefaultTimestampProvider, Akka.Persistence.Sql.Common"

            # metadata table
            metadata-table-name = METADATA
        }
    }

    snapshot-store {
        plugin = "akka.persistence.snapshot-store.oracle"
        oracle {
            # qualified type name of the Oracle persistence journal actor
            class = "Akka.Persistence.Oracle.Snapshot.OracleSnapshotStore, Akka.Persistence.Oracle"

            # dispatcher used to drive journal actor
            plugin-dispatcher = "akka.actor.default-dispatcher"

            # connection string used for database access
            connection-string = ""

            # connection string name for .config file used when no connection string has been provided
            connection-string-name = ""

            # default SQL commands timeout
            connection-timeout = 30s

            # Oracle schema name to table corresponding with persistent journal
            schema-name = SYSTEM

            # Oracle table corresponding with persistent journal
            table-name = SNAPSHOTSTORE

            # should corresponding journal table be initialized automatically
            auto-initialize = off
        }
    }
}

Batching journal

Since version 1.2 an alternative, experimental type of the journal has been released, known as batching journal. It's optimized for concurrent writes made by multiple persistent actors, thanks to the ability of batching multiple SQL operations to be executed within the same database connection. In some of those situations we've noticed over an order of magnitude in event write speed.

To use batching journal, simply change akka.persistence.journal.oracle.class to Akka.Persistence.Oracle.Journal.BatchingOracleJournal, Akka.Persistence.Oracle.

Additionally to the existing settings, batching journal introduces few more:

  • isolation-level to define isolation level for transactions used withing event reads/writes. Possible options: read-committed (default).
  • max-concurrent-operations is used to limit the maximum number of database connections used by this journal. You can use them in situations when you want to partition the same ADO.NET pool between multiple components. Current default: 64.
  • max-batch-size defines the maximum number of SQL operations, that are allowed to be executed using the same connection. When there are more operations, they will chunked into subsequent connections. Current default: 100.
  • max-buffer-size defines maximum buffer capacity for the requests send to a journal. Once buffer gets overflown, a journal will call OnBufferOverflow method. By default it will reject all incoming requests until the buffer space gets freed. You can inherit from BatchingOracleJournal and override that method to provide a custom back-pressure strategy. Current default: 500 000.

Table Schema

Oracle persistence plugin defines a default table schema used for journal, snapshot store and metadata table.

CREATE TABLE EVENTJOURNAL (
    Ordering INTEGER NOT NULL,
    PersistenceId NVARCHAR2(255) NOT NULL,
    SequenceNr NUMBER(19,0) NOT NULL,
    Timestamp NUMBER(19,0) NOT NULL,
    IsDeleted NUMBER(1,0) DEFAULT(0) NOT NULL CHECK (IsDeleted IN (0,1)),
    Manifest NVARCHAR2(500) NOT NULL,
    Payload BLOB NOT NULL,
    Tags NVARCHAR2(100) NULL,
    SerializerId NUMBER(10,0) NULL,
    CONSTRAINT PK_EVENTJOURNAL PRIMARY KEY (Ordering),
    CONSTRAINT QU_EVENTJOURNAL UNIQUE (PersistenceId, SequenceNr)
);

CREATE INDEX IX_EVENTJOURNAL_SequenceNr ON EVENTJOURNAL(SequenceNr);
CREATE INDEX IX_EVENTJOURNAL_Timestamp ON EVENTJOURNAL(Timestamp);

CREATE SEQUENCE EVENTJOURNAL_SEQ
    START WITH 1
    INCREMENT BY 1
    CACHE 1000
    ORDER
    NOCYCLE
    NOMAXVALUE;

CREATE OR REPLACE TRIGGER EVENTJOURNAL_TRG
BEFORE INSERT ON EVENTJOURNAL
FOR EACH ROW
BEGIN
    :new.Ordering := EVENTJOURNAL_SEQ.NEXTVAL;
END;

/

ALTER TRIGGER EVENTJOURNAL_TRG ENABLE;

CREATE TABLE METADATA (
    PersistenceId NVARCHAR2(255) NOT NULL,
    SequenceNr NUMBER(19,0) NOT NULL,
    CONSTRAINT PK_METADATA PRIMARY KEY (PersistenceId, SequenceNr)
);

CREATE TABLE SNAPSHOTSTORE (
    PersistenceId NVARCHAR2(255) NOT NULL,
    SequenceNr NUMBER(19,0) NOT NULL,
    Timestamp TIMESTAMP(7) NOT NULL,
    Manifest NVARCHAR2(500) NOT NULL,
    Snapshot BLOB NOT NULL,
    SerializerId NUMBER(10,0) NULL,
    CONSTRAINT PK_SNAPSHOTSTORE PRIMARY KEY (PersistenceId, SequenceNr)
);

CREATE INDEX IX_SNAPSHOTSTORE_SequenceNr ON SNAPSHOTSTORE(SequenceNr);
CREATE INDEX IX_SNAPSHOTSTORE_Timestamp ON SNAPSHOTSTORE(Timestamp);
CREATE INDEX IX_SNAPSHOTSTORE_03 ON SNAPSHOTSTORE(Timestamp, SequenceNr DESC, PersistenceId);

Migration

From 1.3.1 to 1.3.10

ALTER TABLE EVENTJOURNAL ADD CONSTRAINT PK_EVENTJOURNAL PRIMARY KEY (ORDERING);

From 1.1.2 to 1.3.1

ALTER TABLE {your_journal_table_name} ADD SerializerId NUMBER(10,0) NULL;
ALTER TABLE {your_snapshot_table_name} ADD SerializerId NUMBER(10,0) NULL;

CREATE INDEX IX_SNAPSHOTSTORE_03 ON {your_snapshot_table_name}(Timestamp, SequenceNr DESC, PersistenceId);

Preparing the test environment

In order to run the tests, you must do the following things:

  1. Download and install Docker for Windows from: https://docs.docker.com/docker-for-windows/

  2. Get Oracle Express 11g R2 on Ubuntu 16.04 LTS from: https://hub.docker.com/r/wnameless/oracle-xe-11g/

  3. Run the following script to create the proper user and schema:

    CREATE USER AKKA_PERSISTENCE_TEST IDENTIFIED BY akkadotnet;
GRANT CREATE SESSION TO AKKA_PERSISTENCE_TEST;
GRANT CREATE TABLE TO AKKA_PERSISTENCE_TEST;
GRANT CREATE VIEW TO AKKA_PERSISTENCE_TEST;
GRANT CREATE SEQUENCE TO AKKA_PERSISTENCE_TEST;
GRANT CREATE TRIGGER TO AKKA_PERSISTENCE_TEST;

ALTER USER AKKA_PERSISTENCE_TEST QUOTA UNLIMITED ON USERS;
ALTER USER AKKA_PERSISTENCE_TEST DEFAULT TABLESPACE USERS;

  4. The default connection string uses the following credentials: Data Source=192.168.99.100:1521/XE;User Id=AKKA_PERSISTENCE_TEST;Password=akkadotnet;

  5. A custom app.config file can be used and needs to be placed in the same folder as the dll

Running the tests

The Oracle tests are packaged and run as part of the "RunTests" and "All" build tasks. Run the following command from the PowerShell command line:

PS> .\build RunTests

License

FOSSA Status

akka.persistence.oracle's People

Contributors

azure-pipelines[bot] avatar codacy-badger avatar fossabot avatar ismaelhamed avatar mend-bolt-for-github[bot] avatar seihl-gh avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

onurgumus fossabot arkatufus

akka.persistence.oracle's Issues

system.text.regularexpressions.4.3.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (system.text.regularexpressions.4.3.0.nupkg version) Remediation Possible**
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Direct System.Text.RegularExpressions - 4.3.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

akka.persistence.query.sql.1.4.39.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - akka.persistence.query.sql.1.4.39.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.12.0.3.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2022-0161 High 7.5 newtonsoft.json.12.0.3.nupkg Transitive N/A
CVE-2022-1941 Medium 5.5 google.protobuf.3.19.4.nupkg Transitive N/A

Details

WS-2022-0161

Vulnerable Library - newtonsoft.json.12.0.3.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.12.0.3.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.12.0.3.nupkg

Dependency Hierarchy:

  • akka.persistence.query.sql.1.4.39.nupkg (Root Library)
    • akka.persistence.1.4.39.nupkg
      • akka.1.4.39.nupkg
        • newtonsoft.json.12.0.3.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

  • akka.persistence.query.sql.1.4.39.nupkg (Root Library)
    • akka.persistence.1.4.39.nupkg
      • google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

akka.persistence.oracle.1.4.39.nupkg: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - akka.persistence.oracle.1.4.39.nupkg

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.12.0.3.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (akka.persistence.oracle.1.4.39.nupkg version) Remediation Available
WS-2022-0161 High 7.5 newtonsoft.json.12.0.3.nupkg Transitive N/A*
CVE-2022-1941 High 7.5 google.protobuf.3.19.4.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

WS-2022-0161

Vulnerable Library - newtonsoft.json.12.0.3.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.12.0.3.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.12.0.3.nupkg

Dependency Hierarchy:

  • akka.persistence.oracle.1.4.39.nupkg (Root Library)
    • akka.persistence.sql.common.1.4.45.nupkg
      • akka.persistence.1.4.45.nupkg
        • akka.1.4.45.nupkg
          • newtonsoft.json.12.0.3.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

  • akka.persistence.oracle.1.4.39.nupkg (Root Library)
    • akka.persistence.sql.common.1.4.45.nupkg
      • akka.persistence.1.4.45.nupkg
        • google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

akka.persistence.sql.testkit.1.4.45.nupkg: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - akka.persistence.sql.testkit.1.4.45.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (akka.persistence.sql.testkit.1.4.45.nupkg version) Remediation Available
CVE-2022-1941 High 7.5 google.protobuf.3.19.4.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

  • akka.persistence.sql.testkit.1.4.45.nupkg (Root Library)
    • akka.persistence.query.sql.1.4.45.nupkg
      • akka.persistence.1.4.45.nupkg
        • google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

xunit.2.4.2.nupkg: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.4.2.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xunit.2.4.2.nupkg version) Remediation Available
CVE-2018-8292 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.2.nupkg (Root Library)
    • xunit.assert.2.4.2.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

oracle.manageddataaccess.core.3.21.80.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - oracle.manageddataaccess.core.3.21.80.nupkg

Oracle Data Provider for .NET Core for Oracle Database

Library home page: https://api.nuget.org/packages/oracle.manageddataaccess.core.3.21.80.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /racle.manageddataaccess.core/3.21.80/oracle.manageddataaccess.core.3.21.80.nupkg,/home/wss-scanner/.nuget/packages/oracle.manageddataaccess.core/3.21.80/oracle.manageddataaccess.core.3.21.80.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (oracle.manageddataaccess.core.3.21.80.nupkg version) Remediation Available
CVE-2023-21893 High 7.5 oracle.manageddataaccess.core.3.21.80.nupkg Direct Oracle.ManagedDataAccess - 21.9.0, Oracle.ManagedDataAccess.Core - 3.21.90

Details

CVE-2023-21893

Vulnerable Library - oracle.manageddataaccess.core.3.21.80.nupkg

Oracle Data Provider for .NET Core for Oracle Database

Library home page: https://api.nuget.org/packages/oracle.manageddataaccess.core.3.21.80.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /racle.manageddataaccess.core/3.21.80/oracle.manageddataaccess.core.3.21.80.nupkg,/home/wss-scanner/.nuget/packages/oracle.manageddataaccess.core/3.21.80/oracle.manageddataaccess.core.3.21.80.nupkg

Dependency Hierarchy:

  • oracle.manageddataaccess.core.3.21.80.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for .NET. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Data Provider for .NET. Note: Applies also to Database client-only on Windows platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2023-01-18

URL: CVE-2023-21893

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pm2-9mr2-3frq

Release Date: 2023-01-18

Fix Resolution: Oracle.ManagedDataAccess - 21.9.0, Oracle.ManagedDataAccess.Core - 3.21.90

Step up your Open Source Security Game with Mend here

move or fork to odp.net core

odp.net.core now supports .net standart. I believe it is a good idea to move to odp.net core or fork the project.

microsoft.extensions.configuration.xml.6.0.0.nupkg: 1 vulnerabilities (highest severity is: 5.9) - autoclosed

Vulnerable Library - microsoft.extensions.configuration.xml.6.0.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/6.0.0/system.security.cryptography.xml.6.0.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (microsoft.extensions.configuration.xml.6.0.0.nupkg version) Remediation Available
CVE-2022-34716 Medium 5.9 system.security.cryptography.xml.6.0.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-34716

Vulnerable Library - system.security.cryptography.xml.6.0.0.nupkg

Provides classes to support the creation and validation of XML digital signatures. The classes in th...

Library home page: https://api.nuget.org/packages/system.security.cryptography.xml.6.0.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.xml/6.0.0/system.security.cryptography.xml.6.0.0.nupkg

Dependency Hierarchy:

  • microsoft.extensions.configuration.xml.6.0.0.nupkg (Root Library)
    • system.security.cryptography.xml.6.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.

Affected software

  • Any .NET 6.0 application running on .NET 6.0.7 or earlier.
  • Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.

Patches

Publish Date: 2022-08-09

URL: CVE-2022-34716

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2m65-m22p-9wjw

Release Date: 2022-08-09

Fix Resolution: Microsoft.AspNetCore.App.Runtime.linux-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-musl-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.linux-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.osx-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-arm64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x64 - 3.1.28,6.0.8;Microsoft.AspNetCore.App.Runtime.win-x86 - 3.1.28,6.0.8;System.Security.Cryptography.Xml - 4.7.1,6.0.1

Step up your Open Source Security Game with Mend here

oracle.manageddataaccess.21.8.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - oracle.manageddataaccess.21.8.0.nupkg

Oracle Data Provider for .NET, Managed Driver for Oracle Database.

Library home page: https://api.nuget.org/packages/oracle.manageddataaccess.21.8.0.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/oracle.manageddataaccess/21.8.0/oracle.manageddataaccess.21.8.0.nupkg,/racle.manageddataaccess/21.8.0/oracle.manageddataaccess.21.8.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (oracle.manageddataaccess.21.8.0.nupkg version) Remediation Available
CVE-2023-21893 High 7.5 oracle.manageddataaccess.21.8.0.nupkg Direct Oracle.ManagedDataAccess - 21.9.0, Oracle.ManagedDataAccess.Core - 3.21.90

Details

CVE-2023-21893

Vulnerable Library - oracle.manageddataaccess.21.8.0.nupkg

Oracle Data Provider for .NET, Managed Driver for Oracle Database.

Library home page: https://api.nuget.org/packages/oracle.manageddataaccess.21.8.0.nupkg

Path to dependency file: /src/Benchmark/Benchmark.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/oracle.manageddataaccess/21.8.0/oracle.manageddataaccess.21.8.0.nupkg,/racle.manageddataaccess/21.8.0/oracle.manageddataaccess.21.8.0.nupkg

Dependency Hierarchy:

  • oracle.manageddataaccess.21.8.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for .NET. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Data Provider for .NET. Note: Applies also to Database client-only on Windows platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2023-01-18

URL: CVE-2023-21893

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pm2-9mr2-3frq

Release Date: 2023-01-18

Fix Resolution: Oracle.ManagedDataAccess - 21.9.0, Oracle.ManagedDataAccess.Core - 3.21.90

Step up your Open Source Security Game with Mend here

xunit.2.4.1.nupkg: 5 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xunit.2.4.1.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2018-8292 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A
CVE-2017-0247 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A
CVE-2017-0248 High 7.5 system.net.http.4.3.0.nupkg Transitive N/A
CVE-2017-0249 High 7.3 system.net.http.4.3.0.nupkg Transitive N/A
CVE-2017-0256 Medium 5.3 system.net.http.4.3.0.nupkg Transitive N/A

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

CVE-2017-0247

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Publish Date: 2017-05-12

URL: CVE-2017-0247

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.5.4;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

CVE-2017-0248

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

Publish Date: 2017-05-12

URL: CVE-2017-0248

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3

Step up your Open Source Security Game with Mend here

CVE-2017-0249

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0249

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

CVE-2017-0256

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0256

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-0256

Release Date: 2017-05-12

Fix Resolution: Microsoft.AspNetCore.Mvc.ApiExplorer - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Abstractions - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.1.3,1.0.4;System.Net.Http - 4.1.2,4.3.2;Microsoft.AspNetCore.Mvc.Razor - 1.1.3,1.0.4;System.Net.Http.WinHttpHandler - 4.0.2,4.3.0-preview1-24530-04;System.Net.Security - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;System.Text.Encodings.Web - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Razor.Host - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3;System.Net.WebSockets.Client - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

microsoft.extensions.configuration.xml.7.0.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - microsoft.extensions.configuration.xml.7.0.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.pkcs/7.0.0/system.security.cryptography.pkcs.7.0.0.nupkg

Found in HEAD commit: d39889d06f1374b99cf4478ccbf7c20c1f86f5fa

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (microsoft.extensions.configuration.xml.7.0.0.nupkg version) Remediation Possible**
CVE-2023-29331 High 7.5 system.security.cryptography.pkcs.7.0.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-29331

Vulnerable Library - system.security.cryptography.pkcs.7.0.0.nupkg

Provides support for PKCS and CMS algorithms.

Commonly Used Types:
System.Security.Cryptography.Pkcs.EnvelopedCms

Library home page: https://api.nuget.org/packages/system.security.cryptography.pkcs.7.0.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle.Tests/Akka.Persistence.Oracle.Tests.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.security.cryptography.pkcs/7.0.0/system.security.cryptography.pkcs.7.0.0.nupkg

Dependency Hierarchy:

  • microsoft.extensions.configuration.xml.7.0.0.nupkg (Root Library)
    • system.security.cryptography.xml.7.0.0.nupkg
      • system.security.cryptography.pkcs.7.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: d39889d06f1374b99cf4478ccbf7c20c1f86f5fa

Found in base branch: dev

Vulnerability Details

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Publish Date: 2023-06-14

URL: CVE-2023-29331

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-555c-2p6r-68mm

Release Date: 2023-06-14

Fix Resolution: Microsoft.NetCore.App.Runtime.linux-arm - 6.0.18,7.0.7, Microsoft.Windows.Compatibility - 6.0.6,7.0.3, System.Security.Cryptography.Pkcs - 6.0.3,7.0.2

Step up your Open Source Security Game with Mend here

netstandard.library.1.6.0.nupkg: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - netstandard.library.1.6.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (netstandard.library.1.6.0.nupkg version) Remediation Available
CVE-2018-8292 High 7.5 system.net.http.4.1.0.nupkg Transitive N/A*
CVE-2019-0820 High 7.5 system.text.regularexpressions.4.3.0.nupkg Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2018-8292

Vulnerable Library - system.net.http.4.1.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.1.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg

Dependency Hierarchy:

  • netstandard.library.1.6.0.nupkg (Root Library)
    • system.net.http.4.1.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /src/Akka.Persistence.Oracle/Akka.Persistence.Oracle.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • netstandard.library.1.6.0.nupkg (Root Library)
    • system.xml.xdocument.4.0.11.nupkg
      • system.xml.readerwriter.4.0.11.nupkg
        • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 298ddd225c244b10db0f379f48ef0e61f83f37c7

Found in base branch: dev

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.