Microsoft.Azure.WebJobs.Script.Abstractions 1.0.4-preview leads to CVE-2021-24112 #10067
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Check for a solution in the Azure portal
When taking a dependency to Microsoft.Azure.WebJobs.Script.Abstractions 1.0.4-preview (latest version in NuGet feed as of today - https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Script.Abstractions/#versions-body-tab ), we are getting alert for this CVE:
Microsoft Security Advisory CVE-2021-24112 | .NET 5 and .NET Core Remote Code Execution Vulnerability #176
dotnet/announcements#176
Investigative information
Apparently, there is a reference to System.Drawing.Common version 6.0.0.
Repro steps
Provide the steps required to reproduce the problem:
Take a dependency to the NuGet package and run through governed repository component compliance scan (contact me directly for Microsoft internal scan sample).
Expected behavior
Provide a description of the expected behavior.
Build should be clear of CVE alerts.
Actual behavior
Provide a description of the actual behavior observed.
CVE-2021-24112 during build component compliance scan
Known workarounds
Provide a description of any known workarounds.
Possibly do a direct reference to System.Drawing.Common version (8.0.x) from the project taking dependency to Microsoft.Azure.WebJobs.Script.Abstractions. However, I expected build to generate an assembly version conflict so we can generate a matching redirect, but no such version conflict is generated from build, so it is unclear if this workaround will actually mitigate the issue.
Related information
Provide any related information
C# .NET 6.0
The text was updated successfully, but these errors were encountered: