Microsoft.NET.Test.Sdk references NuGet.Frameworks containing CVE-2022-30184

[Skoucail]

Description

Microsoft.NET.Test.Sdk references NuGet.Frameworks containing CVE-2022-30184
Might concider updating NuGet.Frameworks to a later version (6.2.1 or higher i believe).

Diagnostic logs

CVE-2022-30184
.NET and Visual Studio Information Disclosure Vulnerability.
NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References:
FEDORA - FEDORA-2022-5508547b1e
FEDORA - FEDORA-2022-cd37732349
MISC - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30184
Vulnerable Software & Versions: (show all)
cpe:2.3:a:microsoft:nuget:::::::: versions up to (excluding) 6.2.1

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30184

Environment

Project was build with:
<TargetFramework>netcoreapp3.1</TargetFramework>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.5.0" />

[domwvitality]

Our security scanner is picking this up too.
Currently we're explicitly installing a later version which doesn't contain the vulnerability. Can the dependant version be upped so it requires a version of NuGet.Frameworks that doesn't contain the vulnerability?

[nohwnd]

I am creating a patch for 17.6.1 that we will be servicing and releasing soon. Hopefully you can update to that.