Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.Azure.DocumentDB 2.15 depends on a version of System.Net.Http.WinHttpHandler with vulnerabilities #862

Open
mattgotteiner opened this issue Aug 17, 2021 · 1 comment

Comments

@mattgotteiner
Copy link
Member

Describe the bug
From Microsoft.Azure.DocumentDB nuspec:

      <group targetFramework=".NETFramework4.6.1">
        <dependency id="Newtonsoft.Json" version="6.0.8" />
        <dependency id="System.Net.Http.WinHttpHandler" version="4.5.0" />
        <dependency id="System.Net.Http" version="4.3.4" />
        <dependency id="System.Threading.Tasks.Extensions" version="4.5.2" />
      </group>

4.5.0 has a security issue
https://www.nuget.org/packages/System.Net.Http.WinHttpHandler/4.5.0
Advisory Details: GHSA-6xh7-4v2w-36q6

To Reproduce
SDK will pull in 4.5.0 version of System.Net.Http.WinHttpHandler through its dependencies when referencing it in a project

Expected behavior
SDK should pull in a version of this dependency that does not have a vulnerability (e.g.https://www.nuget.org/packages/System.Net.Http.WinHttpHandler/4.5.4)

Actual behavior
SDK pulls in 4.5.0 of System.Net.Http.WinHttpHandler which has a vulnerability

Environment summary

SDK Version:
OS Version (e.g. Windows, Linux, MacOSX):
Windows

Additional context

@j82w
Copy link
Contributor

j82w commented Aug 17, 2021

There is currently working being done to release a 2.16 with the dependency version bumped. It should be released in the next few weeks. As a workaround you should be able to target 4.5.4 version, and use assembly redirects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants