search

microsoft / DacFx

DacFx, SqlPackage, and other SQL development libraries enable declarative database development and database portability across SQL versions and environments. Share feedback here on dacpacs, bacpacs, and SQL projects.
https://aka.ms/sqlpackage-ref
MIT License
356 stars 20 forks source link

Observed multiple vulnerabilities in sqlpackage utility. #469

Open mayurlokare24 opened 4 months ago

mayurlokare24 commented 4 months ago

Steps to Reproduce:

1. 2.

Did this occur in prior versions? If not - which version(s) did it work in?

(DacFx/SqlPackage/SSMS/Azure Data Studio)

Observed multiple vulnerability in sqlpackage, please find the report below. most of the vulnerability is critical and high. could you please address those as soon as possible

usr/openv/dbpaas/sqlpackage/sqlpackage.deps.json (dotnet-core)

Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 3, CRITICAL: 0)

┌───────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├───────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ Azure.Identity │ CVE-2024-29992 │ MEDIUM │ fixed │ 1.10.3 │ 1.11.0 │ Azure Identity Library for .NET Information Disclosure │ │ │ │ │ │ │ │ Vulnerability │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-29992 │ │ ├────────────────┤ │ │ ├────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-35255 │ │ │ │ 1.11.4 │ azure-identity: Azure Identity Libraries Elevation of │ │ │ │ │ │ │ │ Privilege Vulnerability in │ │ │ │ │ │ │ │ github.com/Azure/azure-sdk-for-go/sdk/azidentity │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35255 │ ├───────────────────────────┤ │ │ ├───────────────────┼────────────────┤ │ │ Microsoft.Identity.Client │ │ │ │ 4.56.0 │ 4.60.4, 4.61.3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├────────────────┼──────────┤ │ ├────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-27086 │ LOW │ │ │ 4.59.1, 4.60.3 │ MSAL.NET applications targeting Xamarin Android and .NET │ │ │ │ │ │ │ │ Android (MAUI) susceptible to local... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-27086 │ ├───────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ System.Formats.Asn1 │ CVE-2024-38095 │ HIGH │ │ 5.0.0 │ 6.0.1, 8.0.1 │ dotnet: DoS when parsing X.509 Content and ObjectIdentifiers │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38095 │ ├───────────────────────────┼────────────────┤ │ ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.0 │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │ │ │ │ │ │ │ │ Core Denial of Service... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-0981 │ │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │ │ │ │ │ │ │ │ Denial of Service │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │ │ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-0657 │ MEDIUM │ │ │ │ dotnet: Domain-spoofing attack in System.Uri │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0657 │ └───────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────

zijchen commented 3 months ago

Hi @mayurlokare24 have you tried with our latest version 162.3.566? We have addressed most of the vulnerabilities listed.

mayurlokare24 commented 3 months ago

verified latest build 162.3.566 but all vulnerabilities not yet resolved I have attached report. Util this fix we won't be able to use sqlpackage, azure sql managed instance and azure sql server for application.

image
ErikEJ commented 3 months ago

@mayurlokare24 You can just update the transitive and direct dependencies yourself.

avivanoff commented 1 month ago

Still an issue in 162.4.92.

mayurlokare24 commented 1 month ago

@ErikEJ Could you please recommend location from where should I download direct dependencies, and steps to update those in sql package