Vulnerabilities found in dbatools.library 2024.4.12

[MouraFe]

Hey, there! 👋

On one of our security scans, some vulnerabilities were found in the module dbatools.library version 2024.4.12 (latest) regarding the package system.private.uri version 4.3.0. This package was found in both core/lib/sqlpackage.deps.json and core/lib/mac/sqlpackage.deps.json. Here are the vulnerabilities:

• High severity: CVE-2019-0981
• High severity: CVE-2019-0980
• Moderate severity: CVE-2019-0657

Is it possible for these vulnerabilities to be addressed on a future release?

Thank you!

[potatoqualitee]

Thank you, we will address this in an upcoming release.

[bt-ndollimount]

@potatoqualitee I was provided results of a security scan that found a couple others as well.

Alert Details: The library Microsoft.Extensions.Caching.Memory version 8.0.0 was detected in Dotnet library manager located at /%HOME%/.PowerShellUniversal/Repository/Modules/dbatools.library/2024.4.12/core/lib/sqlpackage.deps.json and is vulnerable to CVE-2024-43483, which exists in versions >= 8.0.0-preview.1.23110.8, <= 8.0.0.

The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).

The vulnerability can be remediated by updating the library to version 8.0.1 or higher, using dotnet add package Microsoft.Extensions.Caching.Memory.

- Alert Details: The library Newtonsoft.Json version 12.0.2 was detected in Nuget library manager located at /%HOME%/.PowerShellUniversal/Repository/Modules/dbatools.library/2024.4.12/core/third-party/XESmartTarget/Newtonsoft.Json.dll and is vulnerable to CVE-2024-21907, which exists in versions < 13.0.1.

The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).

This vulnerability has a known exploit available. Source: Github.

The vulnerability can be remediated by updating the library to version 13.0.1 or higher, using dotnet add package Newtonsoft.Json.