Observed multiple vulnerabilities in sqlpackage utility. #469
Labels
bug
Something isn't working
Comments
|
Hi @mayurlokare24 have you tried with our latest version 162.3.566? We have addressed most of the vulnerabilities listed. |
|
verified latest build 162.3.566 but all vulnerabilities not yet resolved 
|
|
@mayurlokare24 You can just update the transitive and direct dependencies yourself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Steps to Reproduce:
Did this occur in prior versions? If not - which version(s) did it work in?
(DacFx/SqlPackage/SSMS/Azure Data Studio)
Observed multiple vulnerability in sqlpackage, please find the report below. most of the vulnerability is critical and high. could you please address those as soon as possible
usr/openv/dbpaas/sqlpackage/sqlpackage.deps.json (dotnet-core)
Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 3, CRITICAL: 0)
┌───────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ Azure.Identity │ CVE-2024-29992 │ MEDIUM │ fixed │ 1.10.3 │ 1.11.0 │ Azure Identity Library for .NET Information Disclosure │
│ │ │ │ │ │ │ Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-29992 │
│ ├────────────────┤ │ │ ├────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-35255 │ │ │ │ 1.11.4 │ azure-identity: Azure Identity Libraries Elevation of │
│ │ │ │ │ │ │ Privilege Vulnerability in │
│ │ │ │ │ │ │ github.com/Azure/azure-sdk-for-go/sdk/azidentity │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35255 │
├───────────────────────────┤ │ │ ├───────────────────┼────────────────┤ │
│ Microsoft.Identity.Client │ │ │ │ 4.56.0 │ 4.60.4, 4.61.3 │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ ├────────────────┼──────────┤ │ ├────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-27086 │ LOW │ │ │ 4.59.1, 4.60.3 │ MSAL.NET applications targeting Xamarin Android and .NET │
│ │ │ │ │ │ │ Android (MAUI) susceptible to local... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-27086 │
├───────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ System.Formats.Asn1 │ CVE-2024-38095 │ HIGH │ │ 5.0.0 │ 6.0.1, 8.0.1 │ dotnet: DoS when parsing X.509 Content and ObjectIdentifiers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38095 │
├───────────────────────────┼────────────────┤ │ ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.0 │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
│ │ │ │ │ │ │ Core Denial of Service... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-0981 │ │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
│ │ │ │ │ │ │ Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-0657 │ MEDIUM │ │ │ │ dotnet: Domain-spoofing attack in System.Uri │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0657 │
└───────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────
The text was updated successfully, but these errors were encountered: