System.Data.SqlClient v4.4.0 referenced by AWSXRayRecorder v2.14.0 has security issue - Githubissues

aws / aws-xray-sdk-dotnet

The official AWS X-Ray SDK for .NET.

Apache License 2.0

113 stars 64 forks source link

System.Data.SqlClient v4.4.0 referenced by AWSXRayRecorder v2.14.0 has security issue #293

Open OceanSJY opened 8 months ago

OceanSJY commented 8 months ago

The System.Data.SqlClient v4.4.0 was highlighed by Veracode since it has high severity issue:

Issue ID: 271795222
Issue Type: Vulnerability
Severity: 8.7
Description: CVE-2024-0056: Credential Exposure Microsoft.Data.SqlClient is vulnerable to Credential Exposure. The vulnerability is due to improper handling of TLS connections, allowing an attacker to read or modify traffic between the server and client. The attacker would have to position themself between the client and server, resulting in database credential exposure.

Could you please release a new version to reference a new version (e.g. v4.8.6) of System.Data.SqlClient to fix this issue?

mxiamxia commented 8 months ago

Thanks for reporting it. Will take a look

https://github.com/aws/aws-xray-sdk-dotnet/blob/018bfa65877dd72e346735bad4d7ad46f217da09/sdk/src/Handlers/SqlServer/AWSXRayRecorder.Handlers.SqlServer.csproj#L41