[GHSA-h4j7-5rxr-p4wc] Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability #5640
Conversation
|
Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the security advisory for GHSA-h4j7-5rxr-p4wc by correcting the SDK version information and adjusting the severity reporting. Key changes include:
- Updating the "modified" timestamp.
- Correcting the affected .NET SDK version from ".NET 8.0.309" to ".NET 8.0.409" in the details.
- Removing the CVSS_V3 severity entry so that only CVSS_V4 is reported.
Comments suppressed due to low confidence (2)
advisories/github-reviewed/2025/05/GHSA-h4j7-5rxr-p4wc/GHSA-h4j7-5rxr-p4wc.json:10
- The advisory details now correctly list '.NET 8.0.409' instead of '.NET 8.0.309'. Please confirm that this update is intentional and that all dependent documentation reflects this change.
"details": "# Microsoft Security Advisory CVE-2025-26646: .NET Spoofing Vulnerability ..."
advisories/github-reviewed/2025/05/GHSA-h4j7-5rxr-p4wc/GHSA-h4j7-5rxr-p4wc.json:11
- [nitpick] The removal of the CVSS_V3 severity entry suggests a shift to using solely CVSS_V4 for scoring. Please ensure that this change is in line with the intended advisory standard and that affected parties are informed of the update.
- { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" },
9475fce
into
udlose/advisory-improvement-5640
|
Hi @udlose! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
version of 8.0.4xx SDK's were incorrect. MSFT updated the advisory to:
Any installation of .NET 8.0.115 SDK, .NET 8.0.311 or .NET 8.0.312 SDK, .NET 8.0.408 or .NET 8.0.309 SDK or earlier.but it should read:
Any installation of .NET 8.0.115 SDK, .NET 8.0.311 or .NET 8.0.312 SDK, .NET 8.0.408 or .NET 8.0.409 SDK or earlier.