Azure Service Bus SDK version 3.1.1 dependency async-http-client version 2.5.2 has a security vulnerability.
SRCCLR-SID-21682
XML External Entity (XXE): async-http-client is vulnerable to XML external entity attacks. The external DTD support in the Webdav module is not disabled, allowing attackers to access and retrieve system files, submit requests on behalf of the server, or potentially cause a denial of service.
Expected Behavior
Could you update the dependency to async-http-client-2.10.4 which doen't have this vulnerability?
nemakam
commented
5 years ago
Actual Behavior
Azure Service Bus SDK version 3.1.1 dependency async-http-client version 2.5.2 has a security vulnerability.
SRCCLR-SID-21682 XML External Entity (XXE): async-http-client is vulnerable to XML external entity attacks. The external DTD support in the Webdav module is not disabled, allowing attackers to access and retrieve system files, submit requests on behalf of the server, or potentially cause a denial of service.
Expected Behavior
Could you update the dependency to async-http-client-2.10.4 which doen't have this vulnerability?
Versions