VOOZH about

URL: https://github.com/advisories/GHSA-g4vj-cjjj-v7hg

⇱ Defense in Depth update for NuGet Client · GHSA-g4vj-cjjj-v7hg · GitHub Advisory Database · GitHub

Skip to content

Defense in Depth update for NuGet Client

Low severity GitHub Reviewed Published in NuGet/NuGet.Client • Updated

Package

NuGet.CommandLine (NuGet)

Affected versions

>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0

Patched versions

4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1
NuGet.Packaging (NuGet)
>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0
4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1
NuGet.Protocol (NuGet)
>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0
4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1

Description

Impact

This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.

Patches

NuGet

The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:

.NET SDK

  • .NET 8.0.126 SDK
  • .NET 8.0.420 SDK
  • .NET 9.0.116 SDK
  • .NET 9.0.313 SDK
  • .NET 10.0.106 SDK
  • .NET 10.0.202 SDK

Workarounds

N/A

References

GHSA-9r3h-v4hx-rhfr

Credit

splitline with DEVCORE

References

Published to the GitHub Advisory Database
Reviewed
Last updated

Severity

Low

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-g4vj-cjjj-v7hg

Source code

See something to contribute? Suggest improvements for this vulnerability.
You can’t perform that action at this time.