Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in one of the dependencies #320

Closed
tiliev opened this issue May 3, 2022 · 3 comments
Closed

Security vulnerability in one of the dependencies #320

tiliev opened this issue May 3, 2022 · 3 comments

Comments

@tiliev
Copy link

tiliev commented May 3, 2022

Hello,

Our vulnerability detection tool reports a security vulnerability in one of your dependencies:

[email protected] -> [email protected] -> [email protected]

The vulnerability is in [email protected]. More information regarding the vulnerability itself - here.

Could you update the version of your System.Text.Json dependency to depend on a secure version of System.Text.Encodings.Web? The secure versions, as stated in the issue, are 4.5.1, 4.7.2 and >=5.0.1.

Thanks.

@avanigupta
Copy link
Member

Hello @tiliev, thanks for reporting this issue. You're right, System.Text.Json v4.6.0 depends on System.Text.Encodings.Web v4.6.0 which has a security vulnerability. However, this vulnerability does not exist in Microsoft.Extensions.Configuration.AzureAppConfiguration package because we have another dependency that overrides the System.Text.Encodings.Web package to v4.7.2, which is a safe version. Here's the dependency chain:

Microsoft.Extensions.Configuration.AzureAppConfiguration (5.0.0) -> Azure.Data.AppConfiguration (1.2.0) -> Azure.Core (1.20.0) -> System.Text.Encodings.Web (4.7.2)

So technically, even though we reference System.Text.Json 4.6.0, the actual version of System.Text.Encodings.Web that gets installed is 4.7.2 because Azure.Core mandates that version.

That being said, we are also looking into addressing the issue more explicitly.

@tiliev
Copy link
Author

tiliev commented May 9, 2022

@avanigupta thanks for your input. You are correct. That's good news.

At the end, the workaround we used is to explicitly reference [email protected] in our project. That made our vulnerability detection tool happy.

Thanks for you time.

@tiliev
Copy link
Author

tiliev commented May 13, 2022

Closing as per dotnet/runtime#68931.

@tiliev tiliev closed this as completed May 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants