jsep925
commented
1 month ago We have exact same issue. updated Microsoft.Azure.Functions.Worker.Sdk to latest one 1.17.4, but issue still there.
From Visual studio, Azure.Identity is 1.12, but function.deps.json still reference 1.11.0
surgupta-msft
Description
This was originally mentioned here:
Originally posted by @aaronyiow97 in https://github.com/Azure/azure-functions-durable-extension/issues/2759#issuecomment-2223153049
Functions Worker SDK for .NET 6+ using Event Hubs has dependency on Microsoft.Azure.WebJobs.Extensions.EventHubs v6.3.2, which has further dependencies on the following vulnerable libraries:
Both of these are vulnerable to CVE-2024-35255/CWE-362 (privilege escalation) as MS.Identity.Client is likewise vulnerable to CVE-2024-27086 (DoS).
When an Azure Functions .NET application that uses Event Hubs Triggers is compiled using the SDK, it creates a file called function.deps.json. Even if updated versions of these libraries are specified in the CSPROJ file, the mechanism that builds the function.deps.json file still brings in the vulnerable libraries.
Steps to reproduce
Create an out-of-process .NET 6-8 Azure Functions application. Make sure to include the latest Microsoft.Azure.Functions.Worker.Sdk NuGet package (v1.17.4) and the Microsoft.Azure.Functions.Worker.Extensions.EventHubs library (v6.3.1). Build the project, and you will see in bin\Debug\net{{version}}.azurefunctions\function.deps.json file references to Microsoft.Identity.Client v4.60.1 and Azure.Identity v1.11.0.