CVE-2024-21907 – CVE Helper

README.md
Rendering markdown...
POC / seal-security-nuget-demo-net7.csproj CSPROJ
⬇ Raw GitHub ✕ Close
<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net7.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <RootNamespace>SealSecurityNuGetDemoNet7</RootNamespace>
    <AssemblyName>seal-security-nuget-demo-net7</AssemblyName>
    <!-- Suppress compatibility warning for log4net demo (advertises legacy TFM but runs fine on net7.0) -->
    <NoWarn>$(NoWarn);NU1701</NoWarn>
  </PropertyGroup>

  <ItemGroup>
    <!-- Vulnerable Newtonsoft.Json - CVE-2024-21907 (DoS via deep recursion) CVSS 7.5 -->
    <!-- Version 12.0.2 is vulnerable, fixed in 13.0.1 -->
    <PackageReference Include="Newtonsoft.Json" Version="12.0.2" />

    <!-- Vulnerable log4net - CVE-2018-1285 (XXE in XML config) CVSS 9.8 -->
    <!-- Version 2.0.5 is vulnerable, fixed in 2.0.10 -->
    <PackageReference Include="log4net" Version="2.0.5" />

    <!-- Required by log4net for .NET Core / .NET 7 - pinned to 7.0.0 to match TargetFramework -->
    <PackageReference Include="System.Configuration.ConfigurationManager" Version="7.0.0" />
  </ItemGroup>

  <!--
    Seal Security NuGet Feed
    Authentication required - see nuget.config or README.md for setup instructions.
    The feed is configured in nuget.config file.
  -->

</Project>