SevenZipExtractor

Problem

Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.

Problem

Protection from integer-based memory allocation overflow attacks is a vulnerability mitigation implemented by the programming language compiler. It enables enforcement of memory allocation limits during code execution. This is achieved by instrumenting each memory allocation instance (through the programming language keyword 'new') and validating its parameters. Should an application try to allocate a maximum number of elements via a single call to 'new', the execution will be terminated. This vulnerability mitigation is designed to protect against resource exhaustion and improper handling of memory allocation failures.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Prevalence in NuGet community

No prevalence information at this time

Problem

Address Space Layout Randomization (ASLR) is a vulnerability mitigation option that forces software components to load on a different memory base address each time they are used. This mitigation is detected as enabled, but rendered ineffective since the set load base address forces the 64-bit image to load within the lower 32-bit memory range. Having a smaller memory range makes ASLR more predictable, and it is therefore easier for malicious code to bypass it.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. When a certificate is purchased from a certificate authority, the subject that requests it goes through an identity validation process. Depending on the certificate type, those checks can be basic or extended. Confirming the subject identity is a multi-step process, and the requesting subject can be mapped to its legal entity name only through extended validation of submitted documents. Extended identity validation typically costs more, and it takes longer for a certificate to be issued when this process is correctly followed.