search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.38k stars 4.75k forks source link

[ SignalR ] TypeScript EventSource dependency security vulnerability #69546

Closed GO3LIN closed 2 years ago

GO3LIN commented 2 years ago

The EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?

ghost commented 2 years ago

Tagging subscribers to this area: @tarekgh, @tommcdon, @pjanotti See info in area-owners.md if you want to be subscribed.

Issue Details
The EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?
Author: GO3LIN
Assignees: -
Labels: `area-System.Diagnostics.Tracing`, `untriaged`
Milestone: -
tommcdon commented 2 years ago

Hello @GO3LIN! I'm closing this issue as this repo is for the .NET implementation of EventSource. This particular problem seems be related to the javascript eventsource, which seems to be getting the 1.1 version of eventsource : https://github.com/EventSource/eventsource/pull/273#issuecomment-1127624508. Since there may be a javascript package reference from signalr, please feel free to open a tracking issue in https://github.com/signalr/signalr.

BrennanConroy commented 2 years ago

FYI ASP.NET Core SignalR is located at https://github.com/dotnet/aspnetcore

For this issue specifically, EventSource 1.1.1 is not vulnerable, but most vulnerability databases don't seem to be updated yet. https://github.com/EventSource/eventsource/pull/273#issuecomment-1127624508