Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/
Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index
The exact solution to your question may have been answered before, please use the search on the homepage.
-
ABP Framework version: v3.0.4
-
UI type: Angular
-
Tiered (MVC) or Identity Server Seperated (Angular): yes
-
Exception message and stack trace:
-
We scanned our project code base through Snyk tool (Synk.io) and it reported few vulnerabilites. While reviewing we found that the assemblies like "System.Net.Http" and "System.Text.RegularExpressions" are not directly referenced in our code base and thus we could n't upgrade them to latest and resolve these issues. Is this something, ABP can do upgrade of framework code base in order for us to address these issues. Below are the vulnerabilities reported -
Denial of Service (DoS)
Improper Certificate Validation
Information Exposure
Regular Expression Denial of Service (ReDoS)
Privilege Escalation
Authentication Bypass
Vulnerable module: System.Net.Http
Introduced through: xunit.extensibility.execution@2.4.1 and xunit@2.4.1
Exploit maturity: No known exploit
Fixed in: 4.1.2, 4.3.2
Introduced through: project@* › xunit.extensibility.execution@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0
Introduced through: project@* › xunit@2.4.1 › xunit.assert@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0
Introduced through: project@* › xunit.extensibility.execution@2.4.1 › xunit.extensibility.core@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0
Vulnerable module: System.Text.RegularExpressions
Introduced through: meta-common-packages@meta
Exploit maturity: No known exploit
Fixed in: 4.3.1
Introduced through: project@* › meta-common-packages@meta › System.Text.RegularExpressions@4.3.0
-
Steps to reproduce the issue:
1 Answer(s)
-
0
I couldn't find
System.Net.HttporSystem.Text.RegularExpressionsin ABP new projects.
Maybe one of your libraries added these DLLs.,Angular:
MVC:
