Open philipborg opened 12 months ago
Yes, this library contains High Severity vulnerabilities
Issues with no direct upgrade or patch: ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMIOCOMPRESSIONZIPFILE-174570] in System.IO.Compression.ZipFile@4.0.1 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.Core@4.0.8 > NETStandard.Library@1.6.0 > System.IO.Compression.ZipFile@4.0.1 and 1 other path(s) This issue was fixed in versions: 4.3.0 ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Improper Certificate Validation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Privilege Escalation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Authentication Bypass [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Information Exposure [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 2.0.20710, 4.0.1-beta-23225, 4.1.4, 4.3.4 ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708] in System.Text.RegularExpressions@4.3.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.Core@4.0.8 > NETStandard.Library@1.6.0 > System.Text.RegularExpressions@4.3.0 and 19 other path(s) This issue was fixed in versions: 4.3.1
I am also running into incompatibility issues with modern code bases because of this dependency. FWIW the newest version of swagger codegen uses a different HTTP library. However, I couldn't get this generated code to compile. We are having to write our own implementation the Brevo/Sendinblue API due to this.
Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/
Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/
Nope, it still depends on FubarCoder.RestSharp.Portable.
Brevo respondend to my ticket in helpdesk that they tried to update sdk but encountered numerous errors. Therefore, they decided to maintain the current version for the time being. So if You wanna use it I think that you need to write your own sdk for security reasons
The dependency was last updated 2016 and officially deprecated 2018. Especially as it's a networking library this is unacceptable from a security perspective. It also causes compatibility issues with modern code-bases.
https://github.com/FubarDevelopment/restsharp.portable