This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.
The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:
|Affected versions|Patched version| |--|--| |>= 4.9.0, <= 4.9.6|4.9.7| |>= 5.11.0, <= 5.11.6|5.11.7| |>= 6.8.0, <= 6.8.1|6.8.2| |>= 6.11.0, <= 6.11.1|6.11.2| |>= 6.12.0, <= 6.12.4|6.12.5| |>= 6.14.0, <= 6.14.2|6.14.3| |>= 7.0.0, <= 7.0.2|7.0.3| |7.3.0|7.3.1|
N/A
https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr
4.9.75.11.76.11.26.12.56.14.36.8.27.0.37.3.07.3.14.9.75.11.7