Vulnerabilities found when scanning ABP 8.1.1 with dependency track #7150 | Support

johnny.nguyen created 6 months ago

ABP Framework version: v8.1.1
UI Type: Angular
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated
Exception message and full stack trace: no
Steps to reproduce the issue:
- Run abp update to update from 8.0.4 to 8.1.1
- Scan all nuget packages with dependency track https://dependencytrack.org/
- Found the following vulnerability:

| | | | | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | | <br>Azure.Identity | 1.7.0 | | NVD CVE-2023-36414 | High | OSS Index | 6 May 2024 | - | | | Azure.Identity | 1.7.0 | | NVD CVE-2024-29992 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.Data.SqlClient | 5.1.1 | | NVD CVE-2024-0056 | High | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.JsonWebTokens | 6.24.0 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.JsonWebTokens | 7.0.3 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.Tokens | 6.24.0 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.Tokens | 7.0.3 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-27929 | Unassigned | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-32035 | Unassigned | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-32036 | Unassigned | OSS Index | 6 May 2024 | - |

* These packages are the children of this two:
    * Volo.Abp.Account.Pro.Public.Application@8.1.1
    * Volo.Abp.EntityFrameworkCore.SqlServer@8.1.1
    * 
    *

Please help to verify and provide a patch. Thanks.

5 Answer(s)

0

liangshiwei created 6 months ago
Support Team Fullstack Developer

Hi,

SixLabors.ImageSharp Microsoft.IdentityModel.Tokens Microsoft.IdentityModel.JsonWebTokens

We have upgraded these packages in the next version. https://github.com/abpframework/abp/pull/19634 https://github.com/abpframework/abp/pull/19643

Azure.Identity Microsoft.Data.SqlClient

ABP does not use these packages, you can check your project package references

As a temporary solution, you can add references to the latest versions of these packages in your project
0

johnny.nguyen created 6 months ago

Hi,

SixLabors.ImageSharp Microsoft.IdentityModel.Tokens Microsoft.IdentityModel.JsonWebTokens

We have upgraded these packages in the next version. https://github.com/abpframework/abp/pull/19634 https://github.com/abpframework/abp/pull/19643

Azure.Identity Microsoft.Data.SqlClient

ABP does not use these packages, you can check your project package references

As a temporary solution, you can add references to the latest versions of these packages in your project

Thanks liangshiwei for quick response, For Microsoft.Data.SqlClient, as mentioned, it's included in Volo.Abp.EntityFrameworkCore.SqlServer@8.1.1 (screenshots)

Please help to double check. Thanks!
0

liangshiwei created 6 months ago
Support Team Fullstack Developer

Hi,

Sorry for that. We will upgrade all related packages.

As a temporary solution, you can add references to the latest versions of these packages in your project

Your ticket was refunded.
0

johnny.nguyen created 6 months ago

Hi,

Sorry for that. We will upgrade all related packages.

As a temporary solution, you can add references to the latest versions of these packages in your project

Your ticket was refunded.

Hi liangshiwei, thanks again.
0

liangshiwei created 6 months ago
Support Team Fullstack Developer

https://github.com/abpframework/abp/pull/19730

Have an answer to this question? Log in and write your answer.