Prerequisites
Steps to reproduce
I am scanning a binary installation of PowerShell for alpine linux. When I run trivy, I get the following vulnerabilities:
┌──────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Private.Uri │ CVE-2019-0980 │ HIGH │ 4.3.0 │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
│ │ │ │ │ │ Core Denial of Service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
│ │ │ │ │ │ Denial of Service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-0657 │ MEDIUM │ │ │ dotnet: Domain-spoofing attack in System.Uri │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0657 │
├──────────────────────────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ │ 6.0.0 │ 6.0.1, 4.7.1 │ dotnet: External Entity Injection during XML signature │
│ │ │ │ │ │ verification │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34716 │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
I wanted to update the system.private.dll but can't due to it being included directly in the verison of this program.
Expected behavior
Microsoft should take security seriously and update this component to 4.3.2 (its been fixed 3 years!)
Actual behavior
System reports version 4.3.0 of System.Private.URi when it should be 4.3.2
Error details
System reports inapproproate verison.
Environment data
Name Value
---- -----
PSVersion 7.2.7
PSEdition Core
GitCommitId 7.2.7
OS Linux 5.15.49-linuxkit #1 SMP Tue Sep 13 07:51:46 UTC 2022
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Visuals
Mostly the listed error.
Prerequisites
Steps to reproduce
I am scanning a binary installation of PowerShell for alpine linux. When I run trivy, I get the following vulnerabilities:
I wanted to update the system.private.dll but can't due to it being included directly in the verison of this program.
Expected behavior
Microsoft should take security seriously and update this component to 4.3.2 (its been fixed 3 years!)Actual behavior
System reports version 4.3.0 of System.Private.URi when it should be 4.3.2Error details
System reports inapproproate verison.Environment data
Visuals
Mostly the listed error.