Update Dependency On Azure.Identity >= 1.10.2 For CVE-2023-36414 #2181
Comments
|
@BlythMeister there is a work in progress to update most of the dependencies versions in near future, in a month or less. We will update this thread when it is done. |
|
I have a step in my build process that scans for vulnerabilities (transient or direct dependencies) and reports any vulnerability as a build warning. Every pipeline for MS should be reporting a build error if a vulnerability is detected with daily builds. It's too easy to do the scanning so there should be a process in place to automate this detection. $0.02 |
|
This would also likely update the "DefaultCredential" to support Azure Workload Identity, which would be a welcome addition: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet#azure-identity-client-libraries |
|
Do we have a timeline on when this fix will become GA as a number of other libraries will need to update their dependencies for this CVE? |
|
@thompson-tomo Current plan is ultimo Feb (this year) 😉 |
|
Gentle ping. The problem is still here. |
CVE-2024-29992 is not related to this issue. The version was updated to 1.10.3 at the time. PR #2462 is under review to address the new CVE. |
|
@JRahnama that PR was merged 2 weeks ago. What's the timeline on a release. |
Microsoft.Data.SqlClient has a dependency on Azure.Identity with a version that is below the remediation for CVE-2023-36414.
Azure.Identity minimum version should be >= 1.10.2 in order to ensure Microsoft.Data.SqlClient is not exposing consumers to the vulnerable version.
Due to nuget operating a lowest possible version resolution, as standard, any consumer of Microsoft.Data.SqlClient who does not also specify Azure.Identity will be vulnerable.
The text was updated successfully, but these errors were encountered: