Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CVE-2023-36414 #39366

Closed
Mike-E-angelo opened this issue Oct 18, 2023 · 5 comments
Closed

[BUG] CVE-2023-36414 #39366

Mike-E-angelo opened this issue Oct 18, 2023 · 5 comments
Assignees
@christothes @schaabs
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@Mike-E-angelo
Copy link

Library name and version

1.10.2

Describe the bug

I am getting a dependabot notification for the following issue:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414

Which seems to be for 1.10.2, and is the latest version. Is there not a new version available that addresses this high-vulnerability issue?

Expected behavior

Secure software :)

Actual behavior

Looks like an 8.8-rated vulnerability has been detected and no fix has been deployed, leaving users incredibly vulnerable.

Reproduction Steps

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414

Environment

.NET7 -- thank you for any assistance.
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 18, 2023
@m-redding m-redding added Client This issue points to a problem in the data-plane of the library. Azure.Identity needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Oct 18, 2023
@m-redding
Copy link
Member

Thank you for your feedback. Tagging and routing to the team member best able to assist.

cc: @christothes @schaabs

@nwoolls
Copy link

nwoolls commented Oct 18, 2023

Seeing the same thing here with the output of dotnet list package --vulnerable --include-transitive - this started "breaking builds" an hour or so ago.

@joshfree
Copy link
Member

@Mike-E-angelo @nwoolls this is a problem on GitHub's side, which will be fixed once this PR is merged here: github/advisory-database#2863

github/advisory-database#2863 is the right PR to add any additional comments or feedback for the dependabot alert

@Mike-E-angelo
Copy link
Author

This is excellent news @joshfree thank you!

@taladrane
Copy link

taladrane commented Oct 18, 2023
edited
Loading

hi all 👋 thank you so much for the contribution, just following up to let you know that we've fixed this! apologies for the mistake 🙇‍♀️

@github-actions github-actions bot locked and limited conversation to collaborators Jan 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

@schaabs schaabs

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
No milestone
Development

No branches or pull requests
7 participants
@christothes @joshfree @nwoolls @Mike-E-angelo @schaabs @taladrane @m-redding