Voozh

Mimekit has vulnerable dependency that can lead to denial of service

High severity GitHub Reviewed Published in jstedfast/MimeKit • Updated

Package

MimeKit (NuGet)

Affected versions

>= 3.0.0, < 4.7.1

Patched versions

4.7.1

Description

Summary

Denial of service vulnerability.

Details

See: GHSA-447r-wph3-92pm and dotnet/announcements#312

PoC

Update System.Security.Cryptography.Pkcs to 8.0.1 so that the transitive dependency with the issue gets updated

Impact

Denial of service vulnerability. Affects MimeKit (>= v3.0.0 and <= v4.7.0) when used to decrypt or verify incoming S/MIME messages as well as importing 3rd-party X.509 certificates for use with encrypting outgoing S/MIME messages.

References

👁 @jstedfast
jstedfast published to jstedfast/MimeKit

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability High

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-gmc6-fwg3-75m5

Source code

jstedfast/MimeKit

Credits

👁 @StefanJonssonInExchange
StefanJonssonInExchange Reporter

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-gmc6-fwg3-75m5

⇱ Mimekit has vulnerable dependency that can lead to denial of service · GHSA-gmc6-fwg3-75m5 · GitHub Advisory Database · GitHub