This advisory discloses a security vulnerability that could lead to unauthorized access of privileged information by exploiting a vulnerability in System.
4.7.0. Some earlier versions of NServiceBus had a package dependency on System.
with a minimum required version of 4.7.0, and projects referencing those versions of NServiceBus inherited the vulnerability. The vulnerability has been removed in patches for those versions of NServiceBus by changing the minimum required version of System.
to 4.7.1.
Projects are affected by this vulnerability if both of the following are true:
- They reference NServiceBus 7.7.x (7.7.4 or earlier) or 7.8.0 (other versions may be affected, but they are not supported)
- They do not explicitly reference
or later<PackageReference Include="System. Security. Cryptography. Xml" Version="4. 7. 1" / >
Questions or concerns regarding this advisory may be sent to security@particular.net.
System.Security.Cryptography.Xml vulnerability (CVE-2022-34716)
An information disclosure vulnerability exists in .NET Core 3.1 (3.1.27 and earlier) and .NET 6.0 (6.0.7 and earlier) that could lead to unauthorized access of privileged information. Details are available in the CVE-2022-34716 vulnerability disclosure from Microsoft.
In-depth details about the attack complexity, vector, and impact are available in the CVE-2022-34716 guidance from DevHub.
Affected versions
NServiceBus 7.7.x (7.7.4 and earlier) and 7.8.0 are affected by this vulnerability.
NServiceBus 8.0.0 and later are not affected.
(Other versions may be affected, but they are not supported.)
Risk mitigation
If it is not immediately possible to perform the fix listed below, as a workaround, the vulnerability may be removed by adding an explicit reference to System.
4.7.1:
<PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" />
Fix
This vulnerability can be fixed by upgrading NServiceBus to the latest patch of a currently supported version.
Contact info
Questions or concerns regarding this advisory may be sent to security@particular.net.