search

Azure / azure-functions-docker

This repo contains the base Docker images for working with azure functions
MIT License
258 stars 117 forks source link

CVE-2024-38095 Vulnerability #1110

Open seancostigan opened 2 months ago

seancostigan commented 2 months ago

Description: We are using the Docker image mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0. This image includes System.Formats.Asn1 version 5.0.0, which is affected by https://nvd.nist.gov/vuln/detail/CVE-2024-38095. Please update System.Formats.Asn1 to a version that addresses this vulnerability.

Steps to Reproduce:

  1. Use mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0 in a Dockerfile.
  2. Run a vulnerability scan (I'm using Aqua).

Expected Behavior: No critical vulnerabilities should be present.

Actual Behavior: https://nvd.nist.gov/vuln/detail/CVE-2024-38095 is detected due to System.Formats.Asn1 version 5.0.0.

leonovss commented 3 weeks ago

Also, identical vulnerability is currently being observed in both:

mcr.microsoft.com/azure-functions/dotnet-isolated:4-nightly-dotnet-isolated6.0 mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated6.0

pkpaul5 commented 1 week ago

Hi Team, when will this issue be addressed? We are stuck. Defender is raising this as vulnerability issue.