search

milvus-io / milvus

A cloud-native vector database, storage for next generation AI applications
https://milvus.io
Apache License 2.0
29.26k stars 2.81k forks source link

[Bug]: Azidentity package used has Elevation of Privilege Vulnerability #34456

Closed Ald392 closed 2 weeks ago

Ald392 commented 2 months ago

Is there an existing issue for this?

Environment

- Milvus version:
- Deployment mode(standalone or cluster):
- MQ type(rocksmq, pulsar or kafka):    
- SDK version(e.g. pymilvus v2.0.0rc2):
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

The version of Azidentity that we currently use (v1.3.0) https://github.com/milvus-io/milvus/blob/05df70973c246b8061333bd25fa6fb91b9a1c84e/go.mod#L7 has the following vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255

Expected Behavior

No response

Steps To Reproduce

No response

Milvus Log

No response

Anything else?

No response

xiaofan-luan commented 2 months ago

We will try to upgrade this to 1.7, which should solve this probleam

yanliang567 commented 2 months ago

/assign @congqixia @czs007 please help to check the package upgrade /unassign

xiaofan-luan commented 2 months ago

merged into master, need to cherry pick to 2.,4 @Ald392

stale[bot] commented 3 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Rotten issues close after 30d of inactivity. Reopen the issue with /reopen.