Open Closed

Vulnerabilities found when scanning ABP 8.1.1 with dependency track #7150


User avatar
0
johnny.nguyen created
  • ABP Framework version: v8.1.1
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated
  • Exception message and full stack trace: no
  • Steps to reproduce the issue:
    • Run abp update to update from 8.0.4 to 8.1.1
    • Scan all nuget packages with dependency track https://dependencytrack.org/
    • Found the following vulnerability:

| | | | | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | | <br>Azure.Identity | 1.7.0 | | NVD CVE-2023-36414 | High | OSS Index | 6 May 2024 | - | | | Azure.Identity | 1.7.0 | | NVD CVE-2024-29992 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.Data.SqlClient | 5.1.1 | | NVD CVE-2024-0056 | High | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.JsonWebTokens | 6.24.0 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.JsonWebTokens | 7.0.3 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.Tokens | 6.24.0 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | Microsoft.IdentityModel.Tokens | 7.0.3 | | NVD CVE-2024-21319 | Medium | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-27929 | Unassigned | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-32035 | Unassigned | OSS Index | 6 May 2024 | - | | | | SixLabors.ImageSharp | 3.0.2 | | NVD CVE-2024-32036 | Unassigned | OSS Index | 6 May 2024 | - |

* These packages are the children of this two:
    * Volo.Abp.Account.Pro.Public.Application@8.1.1
    * Volo.Abp.EntityFrameworkCore.SqlServer@8.1.1
    * 
    * 

Please help to verify and provide a patch. Thanks.


5 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    SixLabors.ImageSharp Microsoft.IdentityModel.Tokens Microsoft.IdentityModel.JsonWebTokens

    We have upgraded these packages in the next version. https://github.com/abpframework/abp/pull/19634 https://github.com/abpframework/abp/pull/19643

    Azure.Identity Microsoft.Data.SqlClient

    ABP does not use these packages, you can check your project package references

    As a temporary solution, you can add references to the latest versions of these packages in your project

  • User Avatar
    0
    johnny.nguyen created

    Hi,

    SixLabors.ImageSharp Microsoft.IdentityModel.Tokens Microsoft.IdentityModel.JsonWebTokens

    We have upgraded these packages in the next version. https://github.com/abpframework/abp/pull/19634 https://github.com/abpframework/abp/pull/19643

    Azure.Identity Microsoft.Data.SqlClient

    ABP does not use these packages, you can check your project package references

    As a temporary solution, you can add references to the latest versions of these packages in your project

    Thanks liangshiwei for quick response, For Microsoft.Data.SqlClient, as mentioned, it's included in Volo.Abp.EntityFrameworkCore.SqlServer@8.1.1 (screenshots)

    Please help to double check. Thanks!

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Sorry for that. We will upgrade all related packages.

    As a temporary solution, you can add references to the latest versions of these packages in your project

    Your ticket was refunded.

  • User Avatar
    0
    johnny.nguyen created

    Hi,

    Sorry for that. We will upgrade all related packages.

    As a temporary solution, you can add references to the latest versions of these packages in your project

    Your ticket was refunded.

    Hi liangshiwei, thanks again.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    https://github.com/abpframework/abp/pull/19730

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38