CVE-2018-1285 (High) detected in opencover.4.7.922.nupkg

[mend-bolt-for-github]

CVE-2018-1285 - High Severity Vulnerability

Vulnerable Library - opencover.4.7.922.nupkg

An open source code coverage tool (branch and sequence point) for all .NET Frameworks 2 and above. A...

Library home page: https://api.nuget.org/packages/opencover.4.7.922.nupkg

Path to dependency file: /tmp/ws-scm/Cube.Note/Tests/Cube.Note.Tests.csproj

Path to vulnerable library: /Cube.Note/Tests/Cube.Note.Tests.csproj

Dependency Hierarchy:

• ❌ opencover.4.7.922.nupkg (Vulnerable Library)

Found in HEAD commit: 6ee58545cf1ea17e7329c5e56daecc905862958b

Vulnerability Details

Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

Publish Date: 2020-05-11

URL: CVE-2018-1285

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: apache/logging-log4net@d0b4b01

Release Date: 2017-09-12

Fix Resolution: Replace or update the following file: XmlConfigurator.cs

---

Step up your Open Source Security Game with WhiteSource here