Todas las ideas/devtools/Plataforma SaaS de análisis y remediación automática de vulnerabilidades en dependencias transitorias de proyectos .NET, con alertas y recomendaciones personalizadas.

GitHubB2Bdevtools

Plataforma SaaS de análisis y remediación automática de vulnerabilidades en dependencias transitorias de proyectos .NET, con alertas y recomendaciones personalizadas.

Detectado hace 8 horas

7.0/ 10

Puntaje general

Convierte esta senal en ventaja

Te ayudamos a construirla, validarla y llegar primero.

Pasamos de la idea al plan: quien compra, que MVP lanzar, como validarlo y que medir antes de invertir meses.

Contexto extra

Ver mas sobre la idea

Te contamos que significa realmente la oportunidad, que problema existe hoy, como esta idea lo resolveria y los conceptos clave detras de ella.

Desglose del puntaje

Urgencia8.0

Tamano de mercado7.0

Viabilidad7.0

Competencia6.0

Dolor

Vulnerabilidades en dependencias transitorias de librerías .NET que no pueden ser corregidas automáticamente y son alcanzables, exponiendo información sensible.

Quien pagaria por esto

Equipos de desarrollo de software, empresas que mantienen proyectos en .NET, y departamentos de seguridad TI.

Senal de origen

"For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed."

Publicacion original

netstandard.library.1.6.0.nupkg: 1 vulnerabilities (highest severity is: 7.5) reachable

Publicado: hace 8 horas

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - netstandard.library.1.6.0.nupkg</summary> Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Test/Google.Protobuf.Test.csproj Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.1.0/system.net.http.4.1.0.nupkg Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (netstandard.library.1.6.0.nupkg version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2018-8292](https://www.mend.io/vulnerability-database/CVE-2018-8292) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.5 | Not Defined | 6.8% | system.net.http.4.1.0.nupkg | Transitive | N/A* | ❌|<img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> Reachable | *For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> <img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=19 height=20> CVE-2018-8292</summary> ### Vulnerable Library - system.net.http.4.1.0.nupkg Provides a programming interface for modern HTTP applications, including HTTP client components that... Library home page: <a href="https://api.nuget.org/packages/system.net.http.4.1.0.nupkg">https://api.nuget.org/packages/system.net.http.4.1.0.nupkg</a> Path to dependency file: /deps/protobuf/csharp/src/Google.Protobuf.Test/Google.Protobuf.Test.csproj Path to vulnerable library: /opt/containerbase/tools/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.1.0/system.net.http.4.1.0.nupkg Dependency Hierarchy: - netstandard.library.1.6.0.nupkg (Root Library) - :x: **system.net.http.4.1.0.nupkg** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Reachability Analysis This vulnerability is potentially reachable ``` Google.Protobuf.ProtoDump.Program (Application) -> System.IO.File (Extension) -> System.IO.StreamReader (Extension) -> System.SR (Extension) ... -> System.IO.UnmanagedMemoryStream (Extension) -> System.Runtime.InteropServices.SafeBuffer (Extension) -> ❌ Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid (Vulnerable Component) ``` ### Vulnerability Details An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0. Publish Date: 2018-10-10 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2018-8292>CVE-2018-8292</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 6.8% ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. ### Suggested Fix Type: Upgrade version Release Date: 2018-10-10 Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1 </details>

Ver en github ↗