Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.Azure.WebJobs.Script.Abstractions 1.0.4-preview leads to CVE-2021-24112 #10067

Open
daviburg opened this issue Apr 24, 2024 · 0 comments

Comments

@daviburg
Copy link
Member

Check for a solution in the Azure portal

When taking a dependency to Microsoft.Azure.WebJobs.Script.Abstractions 1.0.4-preview (latest version in NuGet feed as of today - https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Script.Abstractions/#versions-body-tab ), we are getting alert for this CVE:

Microsoft Security Advisory CVE-2021-24112 | .NET 5 and .NET Core Remote Code Execution Vulnerability #176
dotnet/announcements#176

Investigative information

Apparently, there is a reference to System.Drawing.Common version 6.0.0.

Repro steps

Provide the steps required to reproduce the problem:

Take a dependency to the NuGet package and run through governed repository component compliance scan (contact me directly for Microsoft internal scan sample).

Expected behavior

Provide a description of the expected behavior.

Build should be clear of CVE alerts.

Actual behavior

Provide a description of the actual behavior observed.

CVE-2021-24112 during build component compliance scan

Known workarounds

Provide a description of any known workarounds.

Possibly do a direct reference to System.Drawing.Common version (8.0.x) from the project taking dependency to Microsoft.Azure.WebJobs.Script.Abstractions. However, I expected build to generate an assembly version conflict so we can generate a matching redirect, but no such version conflict is generated from build, so it is unclear if this workaround will actually mitigate the issue.

Related information

Provide any related information

C# .NET 6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants