Top issues
Detected presence of severe vulnerabilities with active exploitation.
Causes risk: actively exploited vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.Prevalence in NuGet community
0 packages
found in
Top 100
4 packages
found in
Top 1k
86 packages
found in
Top 10k
62067 packages
in community
Next steps
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of high severity vulnerabilities.
Causes risk: high severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.Prevalence in NuGet community
0 packages
found in
Top 100
4 packages
found in
Top 1k
115 packages
found in
Top 10k
88612 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.Prevalence in NuGet community
0 packages
found in
Top 100
22 packages
found in
Top 1k
142 packages
found in
Top 10k
59574 packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider an alternative delivery mechanism for software packages.
Detected presence of medium severity vulnerabilities.
Causes risk: medium severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.Prevalence in NuGet community
0 packages
found in
Top 100
5 packages
found in
Top 1k
58 packages
found in
Top 10k
33956 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected digital signatures that rely on a weak digest algorithm for integrity validation.
signatures
Problem
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.Prevalence in NuGet community
0 packages
found in
Top 100
38 packages
found in
Top 1k
315 packages
found in
Top 10k
733240 packages
in community
Next steps
Create signatures with strong ECC key-length of at least 224 bits, or RSA key-length of at least 2048 bits, and use SHA256 as the hashing algorithm. While encryption key-length upgrade does require you to obtain a new certificate, the hashing algorithm can freely be selected during signing.
With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.
Top behaviors
Contains URIs related to Symantec security products.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
62 packages
found in
Top 1k
484 packages
found in
Top 10k
560289 packages
in community
Contains URLs that link to raw files on GitHub.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
22 packages
found in
Top 1k
142 packages
found in
Top 10k
59985 packages
in community
Contains IP addresses.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
59 packages
found in
Top 1k
458 packages
found in
Top 10k
532614 packages
in community
Contains URLs.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
63 packages
found in
Top 1k
513 packages
found in
Top 10k
735907 packages
in community
Enumerates files.
search
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
34 packages
found in
Top 1k
262 packages
found in
Top 10k
107460 packages
in community
Top vulnerabilities
Vulnerability Exploitation Lifecycle
(3 Active Vulnerabilities)
2 (2 Fixable)
CVE-2019-1258h
CVE-2022-26907m
1 (1 Fixable)
CVE-2024-21907h
None
None
Exploits Unknown
Exploits Exist
Exploited by Malware
Patching Mandated