.NET / ASP .NET CVEs package vulnerabilities backfill

[skofman1]

Hi team!

We would like to backfill to the DB NuGet package vulnerabilities for 2017-2020. The list of vulnerabilities below are for .NET and ASP.NET Microsoft packages. Those already have CVEs and the impacted packages were specified in announcements published with each CVE in the .NET / ASP.NET Announcement repositories (https://github.com/dotnet/announcements/issues?q=is%3Aissue+is%3Aopen+cve , https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+cve).

Please let me know if additional details are needed. //cc @taladrane , @JonDouglas, @leecow

CVE	Title	Announcement date	CVE URL	Announcement URL	Impacted software	Vulnerable package id	Vulnerable version range	Fixed in version
CVE-2017-11879	Open Redirect can cause Elevation Of Privilege	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879	aspnet/Announcements#277	ASP.NET Core 2.0	Microsoft.AspNetCore.All	2.0.0	2.0.3
CVE-2017-11879	Open Redirect can cause Elevation Of Privilege	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11879	aspnet/Announcements#277	ASP.NET Core 2.0	Microsoft.AspNetCore.Mvc.Core	2.0.0	2.0.1
CVE-2017-11883	Denial Of Service Vulnerability	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883	aspnet/Announcements#278	ASP.NET Core 1.0, 1.1 and 2.0.	Microsoft.AspNetCore.Server.WebListener	1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5	1.0.6
CVE-2017-11883	Denial Of Service Vulnerability	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883	aspnet/Announcements#278	ASP.NET Core 1.0, 1.1 and 2.0.	Microsoft.AspNetCore.Server.WebListener	1.1.0, 1.1.1, 1.1.2 ,1.1.3	1.1.4
CVE-2017-11883	Denial Of Service Vulnerability	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883	aspnet/Announcements#278	ASP.NET Core 1.0, 1.1 and 2.0.	Microsoft.Net.Http.Server	1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5	1.0.6
CVE-2017-11883	Denial Of Service Vulnerability	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883	aspnet/Announcements#278	ASP.NET Core 1.0, 1.1 and 2.0.	Microsoft.Net.Http.Server	1.1.0, 1.1.1, 1.1.2 ,1.1.3	1.1.4
CVE-2017-11883	Denial Of Service Vulnerability	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11883	aspnet/Announcements#278	ASP.NET Core 1.0, 1.1 and 2.0.	Microsoft.AspNetCore.Server.HttpSys	2.0.0, 2.0.1	2.0.2
CVE-2017-8700	CORS bypass can enable Information Disclosure	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700	aspnet/Announcements#279	ASP.NET Core 1.0 and 1.1	Microsoft.AspNetCore.Mvc.Core	1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5	1.0.6
CVE-2017-8700	CORS bypass can enable Information Disclosure	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700	aspnet/Announcements#279	ASP.NET Core 1.0 and 1.1	Microsoft.AspNetCore.Mvc.Core	1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4	1.1.6
CVE-2017-8700	CORS bypass can enable Information Disclosure	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700	aspnet/Announcements#279	ASP.NET Core 1.0 and 1.1	Microsoft.AspNetCore.Mvc.Cors	1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5	1.0.6
CVE-2017-8700	CORS bypass can enable Information Disclosure	11/14/2017	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8700	aspnet/Announcements#279	ASP.NET Core 1.0 and 1.1	Microsoft.AspNetCore.Mvc.Cors	1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4	1.1.6
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Primitives	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Http	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.NetTcp	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Duplex	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Security	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.Private.ServiceModel	4.4.0	4.4.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Primitives	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Http	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.NetTcp	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Duplex	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Security	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.Private.ServiceModel	4.3.0	4.3.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Primitives	4.1.0	4.1.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Http	4.1.0	4.1.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.NetTcp	4.1.0	4.1.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Duplex	4.1.0	4.1.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.ServiceModel.Security	4.1.0	4.1.1
CVE-2018-0786	Security Feature Bypass in X509 Certificate Validation	1/9/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0786	dotnet/announcements#51	WCF packages for .NET Core 1.0 and 1.1, and 2.0	System.Private.ServiceModel	4.1.0	4.1.1
CVE-2018-8269	Denial of Service Vulnerability in Odata	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#385	ASP.NET Core	Microsoft.AspNetCore.DataProtection.AzureStorage	2.1.1	2.1.2
CVE-2018-8269	Denial of Service Vulnerability in Odata	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#385	ASP.NET Core	Microsoft.AspNetCore.DataProtection.AzureStorage	2.2.0	2.2.1
CVE-2018-8269	Denial of Service Vulnerability in Odata	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#385	ASP.NET Core	Microsoft.AspNetCore.All	[2.1.0, 2.1.12]	2.1.13
CVE-2018-8269	Denial of Service Vulnerability in Odata	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#385	ASP.NET Core	Microsoft.AspNetCore.All	[2.2.0, 2.2.6]	2.2.7
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.Private.ServiceModel	[4.0.0, 4.1.1]	4.1.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.Private.ServiceModel	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.Private.ServiceModel	[4.4.0, 4.4.2]	4.4.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.Private.ServiceModel	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Duplex	[4.0.0, 4.0.2]	4.0.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Duplex	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Duplex	[4.4.0, 4.4.2]	4.4.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Duplex	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Http	[4.0.0, 4.1.1]	4.1.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Http	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Http	[4.4.0, 4.4.2]	4.4.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Http	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.NetTcp	[4.0.0, 4.1.1]	4.1.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.NetTcp	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.NetTcp	[4.4.0, 4.4.2]	4.4.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.NetTcp	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Primitives	[4.0.0, 4.1.1]	4.1.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Primitives	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Primitives	[4.4.0, 4.4.2]	4.4.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Primitives	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Security	[4.0.0, 4.1.1]	4.1.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Security	[4.3.0, 4.3.1]	4.3.3
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Security	[4.4.0, 4.4.2]	4.4.4
CVE-2018-8356	.NET Core Security Feature Bypass Vulnerability	7/10/2018	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2018-8356	dotnet/announcements#73	.NET Core	System.ServiceModel.Security	[4.5.0, 4.5.1]	4.5.3
CVE-2018-8416	.NET Core Tampering Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8416	dotnet/announcements#95	.NET Core 2.1	Microsoft.NETCore.App	[2.1.0, 2.1.6]	2.1.7
CVE-2019-0545	.NET Core Information Disclosure Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0545	dotnet/announcements#94	.NET Core 2.1 and 2.2	Microsoft.NETCore.App	[2.1.0, 2.1.6]	2.1.7
CVE-2019-0546	.NET Core Information Disclosure Vulnerability	1/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546	dotnet/announcements#95	.NET Core 2.1 and 2.3	Microsoft.NETCore.App	2.2.0	2.2.1
CVE-2019-0546	.NET Core Information Disclosure Vulnerability	1/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0546	dotnet/announcements#95	.NET Core 2.1 and 2.3	System.Net.Http	?	?
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.WebSockets	2.2.0	2.2.1
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.WebSockets	2.1.0, 2.1.1	2.1.7
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.Server.Kestrel.Core	2.1.0, 2.1.1, 2.1.2, 2.1.3	2.1.7
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	System.Net.WebSockets.WebSocketProtocol	4.5.0, 4.5.1, 4.5.2	4.5.3
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.NETCore.App	2.2.0	2.2.1
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.NETCore.App	2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6	2.1.7
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.App	2.2.0	2.2.1
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.App	2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6	2.1.7
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.All	2.2.0	2.2.1
CVE-2019-0564	ASP.NET Core Denial of Service Vulnerability	1/8/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0564	aspnet/Announcements#334	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.All	2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6	2.1.7
CVE-2019-0657	.NET Core Domain Spoofing Vulnerability	2/12/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657	dotnet/announcements#97	.NET Core 1.0, 1.1, 2.1 and 2.2	System.Private.Uri	[4.3.0, 4.3.1]	4.3.2
CVE-2019-0657	.NET Core Domain Spoofing Vulnerability	2/12/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657	dotnet/announcements#97	.NET Core 1.0, 1.1, 2.1 and 2.2	Microsoft.NETCore.App	[2.1.0, 2.1.7]	2.1.8
CVE-2019-0657	.NET Core Domain Spoofing Vulnerability	2/12/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0657	dotnet/announcements#97	.NET Core 1.0, 1.1, 2.1 and 2.2	Microsoft.NETCore.App	[2.2.0, 2.2.1]	2.2.2
CVE-2019-0980	.NET Core Denial of Service Vulnerability	5/14/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0980	dotnet/announcements#112	.NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2	System.Private.Uri	[4.3.0, 4.3.1]	4.3.2
CVE-2019-0981	.NET Core Denial of Service Vulnerability	5/14/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0981	dotnet/announcements#113	.NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2	System.Private.Uri	[4.3.0, 4.3.1]	4.3.2
CVE-2019-0982	ASP.NET Core Denial of Service Vulnerability	5/14/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982	aspnet/Announcements#359	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.SignalR.Protocols.MessagePack	[1.0.0, 1.0.4]	1.0.11
CVE-2019-0982	ASP.NET Core Denial of Service Vulnerability	5/14/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0982	aspnet/Announcements#359	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.SignalR.Protocols.MessagePack	1.1.0	1.1.5
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.Server.HttpSys	2.1.0, 2.1.1	2.1.12
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.Server.HttpSys	2.2.0	2.2.6
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.Server.IIS	2.2.0, 2.2.1, 2.2.2	2.2.6
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.All	[2.1.0, 2.1.11]	2.1.12
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.All	[2.2.0, 2.2.5]	2.2.6
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.App	[2.1.0,2.1.11]	2.1.12
CVE-2019-1075	ASP.NET Core Spoofing Vulnerability	7/9/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1075	aspnet/Announcements#373	ASP.NET Core 2.1 and 2.2	Microsoft.AspNetCore.App	[2.2.0, 2.2.5]	2.2.6
CVE-2019-1302	ASP.NET Core Elevation Of Privilege Vulnerability	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302	aspnet/Announcements#384	ASP.NET Core	Microsoft.AspNetCore.SpaServices	[2.1.0, 2.1.1]	2.1.2
CVE-2019-1302	ASP.NET Core Elevation Of Privilege Vulnerability	9/10/2019	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302	aspnet/Announcements#384	ASP.NET Core	Microsoft.AspNetCore.SpaServices	2.2.0	2.2.1
CVE-2020-0602	ASP.NET Core Denial of Service Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602	aspnet/Announcements#402	ASP.NET Core	Microsoft.AspNetCore.Http.Connections	[1.0.0, 1.0.4]	1.0.15
CVE-2020-0602	ASP.NET Core Denial of Service Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602	aspnet/Announcements#402	ASP.NET Core	Microsoft.AspNetCore.App	[2.1.0, 2.1.14]	2.1.15
CVE-2020-0602	ASP.NET Core Denial of Service Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602	aspnet/Announcements#402	ASP.NET Core	Microsoft.AspNetCore.App	3.0.0	3.0.1
CVE-2020-0602	ASP.NET Core Denial of Service Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602	aspnet/Announcements#402	ASP.NET Core	Microsoft.AspNetCore.App	3.1.0	3.1.1
CVE-2020-0602	ASP.NET Core Denial of Service Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0602	aspnet/Announcements#402	ASP.NET Core	Microsoft.AspNetCore.All	[2.1.0, 2.1.14]	2.1.15
CVE-2020-0603	ASP.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603	aspnet/Announcements#403	ASP.NET Core	Microsoft.AspNetCore.Http.Connections	[1.0.0, 1.0.4]	1.0.15
CVE-2020-0603	ASP.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603	aspnet/Announcements#403	ASP.NET Core	Microsoft.AspNetCore.App	[2.1.0, 2.1.14]	2.1.15
CVE-2020-0603	ASP.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603	aspnet/Announcements#403	ASP.NET Core	Microsoft.AspNetCore.App	3.0.0	3.0.1
CVE-2020-0603	ASP.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603	aspnet/Announcements#403	ASP.NET Core	Microsoft.AspNetCore.App	3.1.0	3.1.1
CVE-2020-0603	ASP.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0603	aspnet/Announcements#403	ASP.NET Core	Microsoft.AspNetCore.All	[2.1.0, 2.1.14]	2.1.15
CVE-2020-0606	.NET Core Remote Code Execution Vulnerability	1/14/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0606	dotnet/announcements#149	.NET Core	Microsoft.WindowsDesktop.App.Ref	3.0.1, 3.1.0	3.0.2, 3.1.1
CVE-2020-1045	Microsoft ASP.NET Core Security Feature Bypass Vulnerability	9/8/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045	dotnet/announcements#165	ASP.NET Core	Microsoft.AspNetCore.Http	[2.1.0, 2.1.1]	2.1.22
CVE-2020-1045	Microsoft ASP.NET Core Security Feature Bypass Vulnerability	9/8/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045	dotnet/announcements#165	ASP.NET Core	Microsoft.AspNetCore.App.Ref	[3.1.0, 3.1.3]	3.1.8
CVE-2020-1045	Microsoft ASP.NET Core Security Feature Bypass Vulnerability	9/8/2020	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045	dotnet/announcements#165	ASP.NET Core	Microsoft.AspNetCore.Owin	[1.0.0, 3.1.7]	3.1.8

[taladrane]

thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄

[darakian]

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉

A few notes.
Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App in >= 2.1.0, < 2.1.7 with 2.1.7 as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http. I've followed dotnet/announcements#94 for our advisory.

Similarly CVE-2019-0546 lists Microsoft.NETCore.App and System.Net.Http for the affected packages while
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546
Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Should this one be for Microsoft.NETCore.App with the two ranges >= 2.1.0, < 2.1.7 & = 2.2.0?
Currently holding off on publishing this one.

CVE-2020-0606 / dotnet/announcements#149
The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0. for affected software and your notes list WindowsDesktop.App which does not seem to exist
https://www.nuget.org/packages/WindowsDesktop.App
Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.

CVE-2020-1045 / dotnet/announcements#165
Similar affected software description and your note of Microsoft.Owin is missing both fix versions (2.1.22 and 3.1.8) that you suggest
https://www.nuget.org/packages/Microsoft.Owin
dotnet/aspnetcore#24264
lead me to Microsoft.AspNetCore.Http for this.
Can I get a double check on that one as well?

Thank you so much for the great list and sorry again for the delay in getting this done 🙇

CC @taladrane

[NickCraver]

I'm now hitting this too - are we sure these versions are correct on Microsoft.Owin (NuGet link)? There isn't a package 3.1.8 I can find on any feed after checking everywhere I know of...so I'm questioning if maybe some versions got mixed up here in the CG system? They are exactly the same versions as the line above with Microsoft.AspNetCore.App so maybe a copy/paste thing? This is triggering build governance though so it's becoming a blocker issue for us - can we help resolve?

[leecow]

@darakian - looking at the questions.

RE: CVE-2019-0545 / dotnet/announcements#94, the announcement provides the following.

Package name	Vulnerable versions	Secure versions
Microsoft.NETCore.App (System.Net.Http)	2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6	2.1.7
Microsoft.NETCore.App (System.Net.Http)	2.2.0	2.2.1

This seems correct, though I may be missing something. Let me know. Ah, you're looking at the CVE. I could be misunderstanding the entry - it looks to define 2.1.0 through 2.1.6, inclusive and 2.2.0. Is that not correct?

[darakian]

Hey @leecow, the question I had about that one was with respect to @skofman1's list has Microsoft.NETCore.App rather than System.Net.Http. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect.

@NickCraver which advisory is blocking you?

[NickCraver]

@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated!

[leecow]

Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http).

[darakian]

@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that.

@leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case.

[NickCraver]

@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month.

[darakian]

@NickCraver and CG is breaking the build because the it detects Microsoft.Owin in the offending range listed above?

[NickCraver]

@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :)

[darakian]

@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together.

@skofman1 might be the best contact there.

[NickCraver]

@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue.

[skofman1]

@darakian , @leecow -
regarding CVE-2019-0545 - https://www.nuget.org/packages/System.Net.Http doesn't have versions 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 with 2.17 being the fix. Those versions are valid only for https://www.nuget.org/packages/Microsoft.NETCore.App. I imagine that the intent in the [.NET Announcement)(https://github.com/dotnet/announcements/issues/94) is that System.NET.Http has the underlining vulnerability that impacts Microsoft.NETCore.App, however, the version ranges are valid only for Microsoft.NETCore.App. @leecow , do we know which version ranges in System.NET.Http are impacted by this CVE? @darakian, I recommend updating the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

Regarding CVE-2020-0606 / dotnet/announcements#149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ?

Regarding CVE-2020-1045 / dotnet/announcements#165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted?

@NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally.

[NickCraver]

@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted!