Open Closed

Vulnerabilities reported while scanning code base #419


User avatar
0
Repunjay created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v3.0.4
  • UI type: Angular
  • Tiered (MVC) or Identity Server Seperated (Angular): yes
  • Exception message and stack trace:
  • We scanned our project code base through Snyk tool (Synk.io) and it reported few vulnerabilites. While reviewing we found that the assemblies like "System.Net.Http" and "System.Text.RegularExpressions" are not directly referenced in our code base and thus we could n't upgrade them to latest and resolve these issues. Is this something, ABP can do upgrade of framework code base in order for us to address these issues. Below are the vulnerabilities reported -

Denial of Service (DoS) Improper Certificate Validation Information Exposure Regular Expression Denial of Service (ReDoS) Privilege Escalation Authentication Bypass

Vulnerable module: System.Net.Http Introduced through: xunit.extensibility.execution@2.4.1 and xunit@2.4.1 Exploit maturity: No known exploit Fixed in: 4.1.2, 4.3.2 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit@2.4.1 › xunit.assert@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › xunit.extensibility.core@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0

Vulnerable module: System.Text.RegularExpressions Introduced through: meta-common-packages@meta Exploit maturity: No known exploit Fixed in: 4.3.1 Introduced through: project@* › meta-common-packages@meta › System.Text.RegularExpressions@4.3.0

  • Steps to reproduce the issue:

1 Answer(s)
  • User Avatar
    0
    alper created
    Support Team Director

    I couldn't find System.Net.Http or System.Text.RegularExpressions in ABP new projects. Maybe one of your libraries added these DLLs.,

    Angular:


    MVC:

Made with ❤️ on ABP v9.1.0-preview. Updated on October 11, 2024, 07:13