GMS-2023-1893: Moq v4.20.0 and 4.20.1 share hashed user data

August 10, 2023 (updated August 29, 2023)

Moq v4.20.0 and 4.20.1 include support for SponsorLink, which runs an obfuscated DLL at build time that scans local git config data and shares the user’s hashed email address with SponsorLink’s remote servers. There is no option to disable this.

Moq v4.20.2 has removed this functionality.

References

github.com/advisories/GHSA-6r78-m64m-qwcf
github.com/moq/moq/issues/1374
github.com/moq/moq/pull/1363
github.com/moq/moq/pull/1375
www.cazzulino.com/sponsorlink.html

Code Behaviors & Features

Detect and mitigate GMS-2023-1893 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →