search

ansible-collections / azure

Development area for Azure Collections
https://galaxy.ansible.com/azure/azcollection
GNU General Public License v3.0
238 stars 317 forks source link

azure-identity pinned version has vulnerability #1603

Closed MallocArray closed 6 days ago

MallocArray commented 2 weeks ago
SUMMARY

requirements.txt has azure-identity==1.14.0 which now has a vulnerability associated with it. https://avd.aquasec.com/nvd/2024/cve-2024-35255/

Fixed in 1.16.1

ISSUE TYPE
COMPONENT NAME

azure-identity

ANSIBLE VERSION
ansible [core 2.16.7]
  config file = /runner/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /runner/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3.11)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
2.4.0
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE

Install python modules from requirements.txt Run a Trivy scan again EE with these modules installed

EXPECTED RESULTS

No open vulnerability

ACTUAL RESULTS

Observe CVE-2024-35255 being reported https://avd.aquasec.com/nvd/2024/cve-2024-35255/ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255

MallocArray commented 2 weeks ago

Dependabot already has a PR started https://github.com/ansible-collections/azure/pull/1596

Fred-sun commented 6 days ago

1596 has merged, This can be closed!