Open
Description
Hi,
I hope you can help me clarify a question about system packages.
Since version 4.3.0 no more versions were released for the package, if I understand correctly the package is now part of a bundle that is published in each dotnet version. Now, if we open the package Microsoft.NETCore.App.Ref we can see that the new version is present in the FrameworkList.xml. Considering this, the version is the one that is in the AssemblyVersion property or the FileVersion property? Because, looking at the GitHub advisory it seems they are using the FileVersion to tell if the package is vulnerable or not. Microsoft Security Advisory CVE-2023-36049: .NET Elevation of Privilege Vulnerability CVE-2023-36049 GitHub Advisory Database
Thanks
Metadata
Metadata
Assignees
Labels
No labels