What Is Wrong with Vulnerabilities in C# Projects?

The Background (Vulnerabilities in C/C++ Projects)

I have already faced a similar issue regarding the C and C++ programming languages, and I would like to make a small reference to previous work, so that the question of the matter rendered in title, became more understandable.

  • Commit contains corrections of a small fragment of code in a single file.
  • The code in this fragment is related to the use of some standard features, such as functions, libraries, and so on, rather than to some specific features for a particular project (for example, for some functions that replace their standard analogs).
  • The vulnerability is not the result of a specific error in the logic of the application work.

Vulnerabilities in C# Projects

I had made several tries from different sides towards finding vulnerabilities in open source C# projects, but they all have not produced the expected outcome.

  • A small utility was written which has scanned the CVE base, found all the links on GitHub (more 5000), and selected those which constituted the references to the commits that affected the C# (.cs) files. To my surprise, there were only 8 links! This definitely was not enough. In addition, not all the commits were coming under the ‘optimal’ criteria, described in the previous section.
  • Among all of the C# projects’ issues with a rate more than 10, I chose the ones, which contained “CVE” in a heading, subject or comments. Off-target again — in most cases the specific CVE have not been considered or there were no references to commits with corrections.
  • I also looked through the projects from the .NET Open Source Developer Projects list. I was looking for them in the CVE base, on the CVE Details website, in Google.
  • I looked through the CVE base, searching by specific keywords, such as C# or .Net.
  • I also searched in Google by various identifiers of CVE from CVE database and from the CVE Details web site.
  • In addition, I searched in Google information by various search requests, related to C# / .Net vulnerabilities and open source projects.
  • The vulnerability is in CVE database, there is a link to the release in which the vulnerability was closed (which itself confirms its existence), but there is no mention of the vulnerable code, even though it’s an open source project! Again, generally, in C/C++ projects, there were references to specific commits, closing vulnerabilities. Which means, that developers reported not only that vulnerability was closed, but also demonstrated the problem and its solution method.

Conclusion

In general, I was surprised with this situation regarding vulnerabilities in C# projects. Why so few of them? Why are there few examples of vulnerabilities that have been closed?

List of Found Vulnerabilities

Below I would like to give a list of vulnerabilities that had both the CVE identifier, and examples of vulnerable code. Perhaps, they will be interesting/useful for someone. Also, if you would like to offer a link on an example of code vulnerabilities in a email, please, make sure that the identifier is not in the following list.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store