CVE-2024-21386 AspNetCore.HealthChecks.UI.Client/8.0.1 - upgrade Microsoft.Extensions.Diagnostics.HealthChecks

Xabaril / AspNetCore.Diagnostics.HealthChecks

Enterprise HealthChecks for ASP.NET Core Diagnostics Package

Apache License 2.0

4.05k stars 793 forks source link

CVE-2024-21386 AspNetCore.HealthChecks.UI.Client/8.0.1 - upgrade Microsoft.Extensions.Diagnostics.HealthChecks #2250

Closed rsrinivasanhome closed 3 months ago

rsrinivasanhome commented 3 months ago

CVE-2024-21386 - AspNetCore.HealthChecks.UI.Client/8.0.1

https://nvd.nist.gov/vuln/detail/CVE-2024-21386

Upgrade nugget: Microsoft.Extensions.Diagnostics.HealthChecks/8.0.0 to https://www.nuget.org/packages/Microsoft.Extensions.Diagnostics.HealthChecks/8.0.6

adamsitnik commented 3 months ago

Hi @rsrinivasanhome

Why do you believe that updating Microsoft.Extensions.Diagnostics.HealthChecks would solve the referenced CVE?

According to my understanding the bug was in the Microsoft.AspNetCore.App so the users should just update their .NET SDK?

cc @rbhanda @blowdart @Alirexaa

blowdart commented 3 months ago

Updating the SDK or runtime is the correct way to patch nearly all .NET CVEs now.

.NET does't update dependencies like this to reduce churn and to ensure that packages are still usable by users who haven't patched their runtimes yet, so we won't take a PR like this in the .NET repos.

Whilst no doubt well intentioned I suggest closing the PR.