search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.47k stars 4.8k forks source link

Azure Storage Library Information Disclosure Vulnerability (CVE-2022-30187) #35790

Closed ababdbokaro closed 9 months ago

ababdbokaro commented 1 year ago

Library name and version

Microsoft.Azure.WebJobs.Extensions.Storage.Queues@5.1.1

Describe the bug

We found CVE-2022-30187 and CWE-668 Exposure of Resource to Wrong Sphere in OWASP dependency in pkg:nuget/Microsoft.Azure.WebJobs.Extensions.Storage.Queues@5.1.1

Report Attached here dependency-check-report (5) (1).csv

Expected behavior

There should not Azure Storage Library Information Disclosure Vulnerability with latest Microsoft.Azure.WebJobs.Extensions.Storage.Queues@5.1.1

Actual behavior

There is a Azure Storage Library Information Disclosure Vulnerability (CVE-2022-30187). Please find below report generated by OWASP dependency checker tool dependency-check-report (5) (1).csv

Reproduction Steps

Scan the application which uses Microsoft.Azure.WebJobs.Extensions.Storage.Queues@5.1.1 Nuget Package with OWASP dependency checker tool.

Open the generated report and following Azure Storage Library Information Disclosure Vulnerability will be observed.

Environment

Window 11 .Net 6.0

github-actions[bot] commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

SwathiDhanwada-MSFT commented 1 year ago

@ababdbokaro Thanks for your comment. Can you please provide below information ?

SwathiDhanwada-MSFT commented 1 year ago

@ababdbokaro May I ask if you had the chance to review my comment? Kindly revert with requested information.

github-actions[bot] commented 1 year ago

Hi @ababdbokaro. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 1 year ago

Hi @ababdbokaro, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

ababdbokaro commented 1 year ago

@ababdbokaro Thanks for your comment. Can you please provide below information ?

  • Do you use an Azure Storage SDK to perform client-side encryption?
  • Which SDK (blob, queue etc.) and which version of the SDK are you using?
ababdbokaro commented 1 year ago

I am using Microsoft.Azure.WebJobs.Extensions.Storage.Queuesin my Azure function to read messages from Azure queue storage. version @5.1.2

github-actions[bot] commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

seanmcc-msft commented 9 months ago

@ababdbokaro, https://github.com/advisories/GHSA-64x4-9hc6-r2h6 was addressed in Azure.Storage.Queues 12.11.1 and Azure.Storage.Blobs 12.13.0.

Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.1.1 depends on Azure.Storage.Queues 12.13.1, and should not be affected by this issue