Transitive RestSharp Package Reference Causes Moderate Vulnerability Warning CVE-2024-45302 #101
Comments
|
We at least need a version of this package that doesn't pin the RestSharp reference at the vulnerable 108.0.3 version. If that dependency were changed to >= 108.0.3 instead of = 108.0.3 then we would at least have a way to pin a later version of RestSharp in our solution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-45302 CRLF Injection in RestSharp's
RestRequest.AddHeadermethod shows up as a vulnerability warning in any project that references CyberSource.Rest.Client.NetStandard. The error you'll see in the compiler:error NU1902: Warning As Error: Package 'RestSharp' 108.0.3 has a known moderate severity vulnerability, GHSA-4rr6-2v9v-wcpc [F:\Work\1\1719\s\src\Advantage\Advantage.sln]
If a project referencing CyberSource.Rest.Client.NetStandard attempts to force a usage of RestSharp version 112.0.0 they'll get an error because CyberSource.Rest.Client.NetStandard will only allow references 108.0.3. The error for this looks like:
NU1608 Warning As Error: Detected package version outside of dependency constraint: CyberSource.Rest.Client.NetStandard 0.0.1.38 requires RestSharp (= 108.0.3) but version RestSharp 112.0.0 was resolved.
We need a new version of CyberSource that references the fixed RestSharp package 112.0.0.
The text was updated successfully, but these errors were encountered: