search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.47k stars 4.8k forks source link

[BUG] update Microsoft.Azure.WebJobs.Extensions.EventGrid to newer version of Microsoft.Extensions.Azure to fix CVE-2024-29992 (transitive via Azure.Identity) #45233

Closed briandunnington closed 3 months ago

briandunnington commented 3 months ago

Library name and version

Microsoft.Azure.WebJobs.Extensions.EventGrid v3.4.1

Describe the bug

Microsoft.Azure.WebJobs.Extensions.EventGrid v3.4.1 references Microsoft.Extensions.Azure v1.7.3 which references Azure.Identity v1.11.0 which has a security vulnerability CVE-2024-29992

Azure.Identity >= 1.11.4 contains the fix and is referenced by Microsoft.Extensions.Azure v1.7.4

image image image

Expected behavior

using Microsoft.Azure.WebJobs.Extensions.EventGrid does not result in any CVE issues

Actual behavior

Microsoft.Azure.WebJobs.Extensions.EventGrid v3.4.1 results in CVE-2024-29992

Reproduction Steps

any reference to this version results in the CVE being flagged

Environment

No response

github-actions[bot] commented 3 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

jsquire commented 3 months ago

@JoshLove-msft: Would you please take point on getting a new release out?