Backfit cve-2024-28698 to previous version?

MarimerLLC / csla

A home for your business logic in any .NET application.

https://cslanet.com

MIT License

1.27k stars 406 forks source link

Backfit cve-2024-28698 to previous version? #4133

Closed MaceySoftware closed 3 months ago

MaceySoftware commented 3 months ago

Hi All,

Just wondering if this could be backfitted and set out as a small fix to previous versions, as much as I would love to upgrade to CSLA 8.0 I am just not in a position to do this at the moment, but don't want this vulnerability to show up in future testing done by the customer.

https://www.intruder.io/research/path-traversal-and-code-execution-in-csla-net-cve-2024-28698?utm_content=301411509&utm_medium=social&utm_source=twitter&hss_channel=tw-3189900201

Version and Platform CSLA version: 5.3.3 OS: Window Platform: WebAPI

rockfordlhotka commented 3 months ago

I'm able to build and release v7 and 8.

Older than that I'm not sure if I can build it.

MaceySoftware commented 3 months ago

Would someone else be able to build it? This is now affecting our pipelines and we are going to have to make them appear as warnings instead of errors which isn't what we really want to do.

[error]The nuget command failed with exit code(1) and error(NU1904: Warning As Error: Package 'Csla' 5.5.3 has a known critical severity vulnerability, https://github.com/advisories/GHSA-9xhh-3m78-gvgj

rockfordlhotka commented 3 months ago

If you submit a PR for 5, 6, and 7 I will try to build them.

Or someone I trust can build and provide me with the bin folder so I can build the packages.

Step one is a set of PRs.

MaceySoftware commented 3 months ago

Hmm I have never used GIT.. will attempt to hook it up now.

rockfordlhotka commented 3 months ago

The contributor doc in the repo has instrucciones.

On my phone traveling, so can't provide details.

MaceySoftware commented 3 months ago

One that confuses me.

Is this even a security issue for my code base, if I am running 4.8 as it has If Net5_0_OR_GREATER around the code, so this won't even be hit will it? At least in my case.

Happy to make the change still, good learning exercise to get me into GIT and otherwise pipeline will still whine about it and I am sure some third party pen testing application will find it...

rockfordlhotka commented 3 months ago

It does not affect netfx, no. Only modern dotnet has the feature to dynamically load an assembly.

ajohnstone-ks commented 3 months ago

@rockfordlhotka That is good news. I think we are OK then as all our server stuff is net framework 4.8.

MaceySoftware commented 3 months ago

@rockfordlhotka Now we have backfitted everything are we happy for this one to be closed?