Worker.Extensions.CosmosDB is using old Azure.Identity package (v1.4) with vulnerabilities #2373
Assignees
Labels
bug
Something isn't working
Comments
|
This has been resolved with #2378 and released with 4.8 https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.CosmosDB/4.8.0 @Astral100 thank you for the issue. In the future, please see https://github.com/Azure/azure-functions-dotnet-worker/security/policy#reporting-security-issues for CVE reporting. Thanks! |
|
@fabiocav Wonderful, thank you very much for the fast fix! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This is similar to this issue (Azure/azure-functions-durable-extension#2759), just for a different package.
When using the latest
Microsoft.Azure.Functions.Worker.Extensions.CosmosDBpackage Version="4.7.0", in the .Net 8.0 project, it pulls the oldAzure.Identitypackage version 1.4 into.azurefunctionsfolder, which is then being reported by our vulnerability scanning tool Wiz:Is it possible to update
Worker.Extensions.CosmosDBpackage to use the latest identity library please?Steps to reproduce
Install
Microsoft.Azure.Functions.Worker.Extensions.CosmosDBpackage Version="4.7.0", in the .Net 8.0 Azure Functions project and check theAzure.Identitypackage version in the.azurefunctionsfolderThe text was updated successfully, but these errors were encountered: