HokiePokeDad
✅ .NET 8 CVE-2024-38167 and updating project references
I'm stuck between a rock and a hard place here. The majority of our applications and projects are typically up-to-date when the latest patches for .NET 8 and other dependencies in NuGet. Our vulnerability scanner is reporting the versions of various assemblies referenced, in this case System.Text.Json.dll, are vulnerable due to CVE-2024-38167 (https://nvd.nist.gov/vuln/detail/CVE-2024-38167). The published CVE notes that the latest non-vulnerable version is 8.0.8; however, the latest publicly released version is 8.0.4, with a few pre-release versions. When published, our projects show a version of 8.0.7. How would I go about upgrading to 8.0.8 if it's not available via NuGet?
14 replies