Latest 6.* and 7.* versions of Microsoft.VisualStudio.Web.CodeGeneration.Design result in vulnerable version of NuGet.Packaging being installed CVE-2024-0057. #2711
Comments
|
Yup will fix in the next servicing, tyty |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Consumers of the Microsoft.VisualStudio.Web.CodeGeneration.Design package that have not upgraded their projects to .net 8 yet will inadvertently end up with NuGet.Packaging 6.6.1 being installed which has a critical vulnerability CVE-2024-0057
Here is an example of the dependency tree that is resolved:
[email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
And for .net 7
[email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
=> [email protected]
Given that .net 6 and 7 are still supported both of those major versions should receive a new patch version without vulnerabilities in the transient dependencies.
The easiest solution I see:
Microsoft.DotNet.Scaffolding.Shared needs to have the reference to NuGet.ProjectModel updated to 6.6.2, 6.7.1, 6.8.1 or 6.9.1 and then that new patch version of Microsoft.DotNet.Scaffolding.Shared should be installed as the updated dependency in Microsoft.VisualStudio.Web.CodeGeneration.Design
The text was updated successfully, but these errors were encountered: