Skip to content

Mimekit has vulnerable dependency that can lead to denial of service

High severity GitHub Reviewed Published Jul 11, 2024 in jstedfast/MimeKit • Updated Jul 31, 2024

Package

nuget MimeKit (NuGet)

Affected versions

>= 3.0.0, < 4.7.1

Patched versions

4.7.1

Description

Summary

Denial of service vulnerability.

Details

See: GHSA-447r-wph3-92pm and dotnet/announcements#312

PoC

Update System.Security.Cryptography.Pkcs to 8.0.1 so that the transitive dependency with the issue gets updated

Impact

Denial of service vulnerability. Affects MimeKit (>= v3.0.0 and <= v4.7.0) when used to decrypt or verify incoming S/MIME messages as well as importing 3rd-party X.509 certificates for use with encrypting outgoing S/MIME messages.

References

@jstedfast jstedfast published to jstedfast/MimeKit Jul 11, 2024
Published to the GitHub Advisory Database Jul 11, 2024
Reviewed Jul 11, 2024
Last updated Jul 31, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-gmc6-fwg3-75m5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.