Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 12.1.0
Report Generated On: Tue, 4 Mar 2025 11:16:13 +0530
Dependencies Scanned: 7 (7 unique)
Vulnerable Dependencies: 2
Vulnerabilities Found: 2
Vulnerabilities Suppressed: 0
...
NVD API Last Checked: 2025-03-04T10:03:23+0530
NVD API Last Modified: 2025-03-04T04:15:15Z

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
DotNetSdk.csproj				0		2
Microsoft.AspNetCore.App:2.2.8	cpe:2.3:a:app_project:app:2.2.8:::::::* cpe:2.3:a:asp-project:asp-project:2.2.8:::::::*	pkg:nuget/Microsoft.AspNetCore.App@2.2.8	HIGH	1	Low	8
Microsoft.AspNetCore.Http.Extensions:2.2.0	cpe:2.3:a:asp-project:asp-project:2.2.0:::::::*	pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0		0	Low	8
Microsoft.AspNetCore.Http:2.2.2	cpe:2.3:a:asp-project:asp-project:2.2.2:::::::*	pkg:nuget/Microsoft.AspNetCore.Http@2.2.2	MEDIUM	1	Low	8
Microsoft.Extensions.Hosting:9.0.0		pkg:nuget/Microsoft.Extensions.Hosting@9.0.0		0		8
Newtonsoft.Json:13.0.3		pkg:nuget/Newtonsoft.Json@13.0.3		0		7
SDKTest.csproj				0		2

Dependencies (vulnerable)

DotNetSdk.csproj

File Path: D:\Auropayrepos\AuropayDotnetSDK\SDKCode\DotNetSdk.csproj
MD5: 075e4d7953a32a819509804ffdecad50
SHA1: 36935ebd6143dc18f55a0158f1875e640e5489d5
SHA256:e64829e9dd99697135021b44fb719347f778a2f5776394ee10ba2e6a8583c7f4

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	DotNetSdk	High
Product	file	name	DotNetSdk	High

Identifiers

None

Microsoft.AspNetCore.App:2.2.8

File Path: D:\Auropayrepos\AuropayDotnetSDK\SampleAppCode\SDKTest.csproj

Evidence

Type	Source	Name	Value	Confidence
Vendor	msbuild	id	AspNetCore	Low
Vendor	msbuild	id	AspNetCore.App	Low
Vendor	msbuild	id	Microsoft	Medium
Vendor	msbuild	id	Microsoft.AspNetCore.App	Medium
Product	msbuild	id	AspNetCore	Medium
Product	msbuild	id	AspNetCore.App	Medium
Product	msbuild	id	Microsoft.AspNetCore.App	Highest
Version	msbuild	version	2.2.8	Highest

Identifiers

pkg:nuget/Microsoft.AspNetCore.App@2.2.8 (Confidence:Highest)
cpe:2.3:a:app_project:app:2.2.8:*:*:*:*:*:*:* (Confidence:Low)
cpe:2.3:a:asp-project:asp-project:2.2.8:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2020-1108 (OSSINDEX)

A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests, aka '.NET Core & .NET Framework Denial of Service Vulnerability'.

CWE-noinfo

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2020-1108] CWE-noinfo
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1108
OSSIndex - https://access.redhat.com/security/cve/CVE-2020-1108
OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1827643
OSSIndex - https://github.com/dotnet/runtime/issues/36313
OSSIndex - https://github.com/dotnet/runtime/pull/36348
OSSIndex - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1108

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:*:Microsoft.AspNetCore.App:2.2.8:*:*:*:*:*:*:*

Microsoft.AspNetCore.Http.Extensions:2.2.0

File Path: D:\Auropayrepos\AuropayDotnetSDK\SampleAppCode\SDKTest.csproj

Evidence

Type	Source	Name	Value	Confidence
Vendor	msbuild	id	AspNetCore	Low
Vendor	msbuild	id	AspNetCore.Http.Extensions	Low
Vendor	msbuild	id	Microsoft	Medium
Vendor	msbuild	id	Microsoft.AspNetCore.Http.Extensions	Medium
Product	msbuild	id	AspNetCore	Medium
Product	msbuild	id	AspNetCore.Http.Extensions	Medium
Product	msbuild	id	Microsoft.AspNetCore.Http.Extensions	Highest
Version	msbuild	version	2.2.0	Highest

Identifiers

pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0 (Confidence:Highest)
cpe:2.3:a:asp-project:asp-project:2.2.0:*:*:*:*:*:*:* (Confidence:Low)

Microsoft.AspNetCore.Http:2.2.2

File Path: D:\Auropayrepos\AuropayDotnetSDK\SampleAppCode\SDKTest.csproj

Evidence

Type	Source	Name	Value	Confidence
Vendor	msbuild	id	AspNetCore	Low
Vendor	msbuild	id	AspNetCore.Http	Low
Vendor	msbuild	id	Microsoft	Medium
Vendor	msbuild	id	Microsoft.AspNetCore.Http	Medium
Product	msbuild	id	AspNetCore	Medium
Product	msbuild	id	AspNetCore.Http	Medium
Product	msbuild	id	Microsoft.AspNetCore.Http	Highest
Version	msbuild	version	2.2.2	Highest

Identifiers

pkg:nuget/Microsoft.AspNetCore.Http@2.2.2 (Confidence:Highest)
cpe:2.3:a:asp-project:asp-project:2.2.2:*:*:*:*:*:*:* (Confidence:Low)

Published Vulnerabilities

CVE-2020-1045 (OSSINDEX)

<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>
<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>
<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>


Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-1045 for details

CWE-noinfo

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

References:

OSSINDEX - [CVE-2020-1045] CWE-noinfo
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1045
OSSIndex - https://github.com/dotnet/announcements/issues/165
OSSIndex - https://github.com/dotnet/aspnetcore/issues/23578
OSSIndex - https://github.com/dotnet/aspnetcore/issues/25701
OSSIndex - https://github.com/dotnet/aspnetcore/pull/23579
OSSIndex - https://github.com/dotnet/aspnetcore/pull/24264
OSSIndex - https://github.com/dotnet/aspnetcore/pull/24389
OSSIndex - https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.8/3.1.8.md#cve-2020-1045--microsoft-aspnet-core-security-feature-bypass-vulnerability
OSSIndex - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1045

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:*:Microsoft.AspNetCore.Http:2.2.2:*:*:*:*:*:*:*

Microsoft.Extensions.Hosting:9.0.0

File Path: D:\Auropayrepos\AuropayDotnetSDK\SDKCode\DotNetSdk.csproj

Evidence

Type	Source	Name	Value	Confidence
Vendor	msbuild	id	Extensions	Low
Vendor	msbuild	id	Extensions.Hosting	Low
Vendor	msbuild	id	Microsoft	Medium
Vendor	msbuild	id	Microsoft.Extensions.Hosting	Medium
Product	msbuild	id	Extensions	Medium
Product	msbuild	id	Extensions.Hosting	Medium
Product	msbuild	id	Microsoft.Extensions.Hosting	Highest
Version	msbuild	version	9.0.0	Highest

Identifiers

pkg:nuget/Microsoft.Extensions.Hosting@9.0.0 (Confidence:Highest)

Newtonsoft.Json:13.0.3

File Path: D:\Auropayrepos\AuropayDotnetSDK\SDKCode\DotNetSdk.csproj

Evidence

Type	Source	Name	Value	Confidence
Vendor	msbuild	id	Json	Low
Vendor	msbuild	id	Newtonsoft	Medium
Vendor	msbuild	id	Newtonsoft.Json	Medium
Product	hint analyzer	vendor	net	Medium
Product	msbuild	id	Json	Medium
Product	msbuild	id	Newtonsoft.Json	Highest
Version	msbuild	version	13.0.3	Highest

Identifiers

pkg:nuget/Newtonsoft.Json@13.0.3 (Confidence:Highest)

SDKTest.csproj

File Path: D:\Auropayrepos\AuropayDotnetSDK\SampleAppCode\SDKTest.csproj
MD5: 2fcbbeebaf521f56f5dbe9a3239599d9
SHA1: eacd7fc34a7d356a6e6f78260e689a5263572eee
SHA256:2358c81c1e3ff944e354d5b3ec343a5e1fb8ef6a6f7873510f44236244d8a8d0

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	SDKTest	High
Product	file	name	SDKTest	High

Identifiers

None

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor

Project: Testing

Summary

Dependencies (vulnerable)

DotNetSdk.csproj

Evidence

Identifiers

Microsoft.AspNetCore.App:2.2.8

Evidence

Identifiers

Published Vulnerabilities

Microsoft.AspNetCore.Http.Extensions:2.2.0

Evidence

Identifiers

Microsoft.AspNetCore.Http:2.2.2

Evidence

Identifiers

Published Vulnerabilities

Microsoft.Extensions.Hosting:9.0.0

Evidence

Identifiers

Newtonsoft.Json:13.0.3

Evidence

Identifiers

SDKTest.csproj

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues Sponsor

Project: Testing

Summary

Dependencies (vulnerable)

DotNetSdk.csproj

Evidence

Identifiers

Microsoft.AspNetCore.App:2.2.8

Evidence

Identifiers

Published Vulnerabilities

Microsoft.AspNetCore.Http.Extensions:2.2.0

Evidence

Identifiers

Microsoft.AspNetCore.Http:2.2.2

Evidence

Identifiers

Published Vulnerabilities

Microsoft.Extensions.Hosting:9.0.0

Evidence

Identifiers

Newtonsoft.Json:13.0.3

Evidence

Identifiers

SDKTest.csproj

Evidence

Identifiers

How to read the report | Suppressing false positives | Getting Help: github issues

Sponsor