-2

I upgraded the restSharp from 106.13.0 to 108.0.2 on .Net Framework 4.7.2 and, since then, I'm getting both CVE-2021-24112, CVE-2021-26701 Severity as CRITICAL with score of 9.8 on Dependency Scan Results (dotnet)

I also observed Fixed version as 6.0.8 on 'System.Text.Encoding' in Dependency Scan Results (dotnet), but could not able to find 6.0.8 on 'System.Text.Encodings.Web' nuget package.

Actual Dependency Scan Results:

Id │ Package │ Version │ Fix Version │ Severity │ Score

CVE-2021-24112 │ System.Text.Encoding │ >=5.0-<=5.0.2 │ 6.0.8 │ CRITICAL │ 9.8

CVE-2021-26701 │ System.Text.Encoding │ >=5.0-<5.0.4 │ 6.0.8 │ CRITICAL │ 9.8

What I tried: I tried to update the latest restSharp (108.0.2) and System.Text.Encodings.Web (6.0.0) nuget packages but the issue still persist.

What I need: The severity score should be reduced for CVE-2021-24112, CVE-2021-26701 on dependency scan results.

Did I missing anything here?

Any insights could be really helpful.

Thanks in advance

Marcelo Scofano Diniz
  • 590
  • 1
  • 7
  • 24
Manoj Buddy
  • 1
  • 1
    You are not gonna "reduce a CVE severity". If it is present it will score whatever it was cataloged at... And CVE-2021-24112 is a remote code execution one so it is gonna score high. Do you notice that `System.Text.Encoding` is different to `System.Text.Encodings.Web`? Upgrade the correct package – Cleptus Oct 26 '22 at 18:51
  • The reason to update 'System.Text.Encodings.Web' is I am unable to find the 'System.Text.Encoding' package in the project and found many references points to update 'System.Text.Encodings.Web' to fix this issue. – Manoj Buddy Oct 28 '22 at 13:21

1 Answers1

0

You need to upgrade System.Text.Json to the latest version in your project, as System.Text.Encoding is one of its dependencies. The lowest version constraint of RestSharp is 5.0.1, and you can install any version you want above that.

Alexey Zimarev
  • 17,944
  • 2
  • 55
  • 83