Umbraco.Cms.StaticAssets-1.0.0: 4 vulnerabilities (highest severity is: 8.0) #84
Description
Vulnerable Library - Umbraco.Cms.StaticAssets-1.0.0
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (Umbraco.Cms.StaticAssets version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| CVE-2024-43383 |  High |
8.0 | lucene.net.replicator.4.8.0-beta00016.nupkg | Transitive | N/A* | ❌ | |
| CVE-2024-38095 | High |
7.5 | system.formats.asn1.7.0.0.nupkg | Transitive | N/A* | ❌ | |
| CVE-2024-30105 | High |
7.5 | system.text.json.7.0.0.nupkg | Transitive | N/A* | ❌ | |
| CVE-2025-11842 |  Medium |
6.3 | smidge.4.3.0.nupkg | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-43383
Vulnerable Library - lucene.net.replicator.4.8.0-beta00016.nupkg
Replicator that allows replication of files between a server and client(s) for the Lucene.NET full-t...
Library home page: https://api.nuget.org/packages/lucene.net.replicator.4.8.0-beta00016.nupkg
Path to dependency file: /src/Umbraco.Cms.Imaging.ImageSharp2/Umbraco.Cms.Imaging.ImageSharp2.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg,/home/wss-scanner/.nuget/packages/lucene.net.replicator/4.8.0-beta00016/lucene.net.replicator.4.8.0-beta00016.nupkg
Dependency Hierarchy:
- Umbraco.Cms.StaticAssets-1.0.0 (Root Library)
- Umbraco.Cms.Web.BackOffice-1.0.0
- Umbraco.Cms.Web.Common-1.0.0
- Umbraco.Cms.Examine.Lucene-1.0.0
- examine.3.1.0.nupkg
- examine.lucene.3.1.0.nupkg
- ❌ lucene.net.replicator.4.8.0-beta00016.nupkg (Vulnerable Library)
- examine.lucene.3.1.0.nupkg
- examine.3.1.0.nupkg
- Umbraco.Cms.Examine.Lucene-1.0.0
- Umbraco.Cms.Web.Common-1.0.0
- Umbraco.Cms.Web.BackOffice-1.0.0
Found in base branch: contrib
Vulnerability Details
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node
URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This
can result in remote code execution or other potential unauthorized access.
Publish Date: 2024-10-31
URL: CVE-2024-43383
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q4/49
Release Date: 2024-10-31
Fix Resolution: Lucene.Net.Replicator - 4.8.0-beta00017,ClerkIoConnector - 10.0.1,Umble.Construct - no_fix,Lucene.Net.Replicator - 4.8.0-beta00017,Lucene.Net.Replicator - no_fix
CVE-2024-38095
Vulnerable Library - system.formats.asn1.7.0.0.nupkg
Provides classes that can read and write the ASN.1 BER, CER, and DER data formats.
Commonly Used Types:
System.Formats.Asn1.AsnReader
System.Formats.Asn1.AsnWriter
Library home page: https://api.nuget.org/packages/system.formats.asn1.7.0.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.formats.asn1/7.0.0/system.formats.asn1.7.0.0.nupkg
Dependency Hierarchy:
- Umbraco.Cms.StaticAssets-1.0.0 (Root Library)
- Umbraco.Cms.Web.BackOffice-1.0.0
- Umbraco.Cms.Web.Common-1.0.0
- Umbraco.Cms.Examine.Lucene-1.0.0
- Umbraco.Cms.Infrastructure-1.0.0
- mailkit.4.1.0.nupkg
- mimekit.4.1.0.nupkg
- system.security.cryptography.pkcs.7.0.2.nupkg
- ❌ system.formats.asn1.7.0.0.nupkg (Vulnerable Library)
- system.security.cryptography.pkcs.7.0.2.nupkg
- mimekit.4.1.0.nupkg
- mailkit.4.1.0.nupkg
- Umbraco.Cms.Infrastructure-1.0.0
- Umbraco.Cms.Examine.Lucene-1.0.0
- Umbraco.Cms.Web.Common-1.0.0
- Umbraco.Cms.Web.BackOffice-1.0.0
Found in base branch: contrib
Vulnerability Details
.NET and Visual Studio Denial of Service Vulnerability
Publish Date: 2024-07-09
URL: CVE-2024-38095
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-447r-wph3-92pm
Release Date: 2024-07-09
Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1
CVE-2024-30105
Vulnerable Library - system.text.json.7.0.0.nupkg
Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in.
Library home page: https://api.nuget.org/packages/system.text.json.7.0.0.nupkg
Path to dependency file: /src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg,/home/wss-scanner/.nuget/packages/system.text.json/7.0.0/system.text.json.7.0.0.nupkg
Dependency Hierarchy:
- Umbraco.Cms.StaticAssets-1.0.0 (Root Library)
- Umbraco.Cms.Web.BackOffice-1.0.0
- serilog.aspnetcore.7.0.0.nupkg
- serilog.settings.configuration.7.0.0.nupkg
- microsoft.extensions.dependencymodel.7.0.0.nupkg
- ❌ system.text.json.7.0.0.nupkg (Vulnerable Library)
- microsoft.extensions.dependencymodel.7.0.0.nupkg
- serilog.settings.configuration.7.0.0.nupkg
- serilog.aspnetcore.7.0.0.nupkg
- Umbraco.Cms.Web.BackOffice-1.0.0
Found in base branch: contrib
Vulnerability Details
.NET and Visual Studio Denial of Service Vulnerability
Publish Date: 2024-07-09
URL: CVE-2024-30105
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hh2w-p6rv-4g7w
Release Date: 2024-07-09
Fix Resolution: System.Text.Json - 8.0.4
CVE-2025-11842
Vulnerable Library - smidge.4.3.0.nupkg
A lightweight library for runtime CSS and JavaScript file management, minification, combination & compression
Library home page: https://api.nuget.org/packages/smidge.4.3.0.nupkg
Path to dependency file: /src/Umbraco.Cms.Api.Delivery/Umbraco.Cms.Api.Delivery.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg,/home/wss-scanner/.nuget/packages/smidge/4.3.0/smidge.4.3.0.nupkg
Dependency Hierarchy:
- Umbraco.Cms.StaticAssets-1.0.0 (Root Library)
- Umbraco.Cms.Web.BackOffice-1.0.0
- Umbraco.Cms.Web.Common-1.0.0
- smidge.nuglify.4.3.0.nupkg
- ❌ smidge.4.3.0.nupkg (Vulnerable Library)
- smidge.nuglify.4.3.0.nupkg
- Umbraco.Cms.Web.Common-1.0.0
- Umbraco.Cms.Web.BackOffice-1.0.0
Found in base branch: contrib
Vulnerability Details
A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component.
Publish Date: 2025-10-16
URL: CVE-2025-11842
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-9rvm-p3qm-f4vv
Release Date: 2025-10-16
Fix Resolution: smidge - 4.6.0