Azure.Identity transitive dependency resulting in security check failures due to CVE-2023-36414 #2198
Labels
Duplicate
This issue or pull request already exists
Comments
StasJS
changed the title
StasJS
changed the title
|
As discussed in #2189, this change will be shipped in 5.2.0-preview4 |
|
@javad is this fix in 5.1.2? And why not? |
No. We didn't find out about it in time to include it in 5.1.2. Additionally, users have to be able to control the tenant ID and/or scope to be vulnerable to the issue and that isn't user-controlled input from MDS. We do plan to include it in a future hotfix version. |
|
@David-Engel Thanks for that explanation. So neither SqlClient or EF Core are vulnerable in this context. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there,
My organisation performs security checks on application dependencies, including transitive dependencies.
We directly depend on
Microsoft.Data.SqlClient(currently version 5.1.1). I see that this package in turn depends on Azure.Identity (>= 1.7.0).Our applications don't depend on directly
Azure.Identitydirectly, or leverage Azure capabilities withinMicrosoft.Data.SqlClientin any way. This means we are pulling inAzure.Identityv1.7.0 implicitly.On 2023/10/13, CVE-2023-36414 was published, affecting versions of
Azure.Identityup to v1.10.2. This CVE has been causing our security checks for applications to fail.Looking at the latest (prerelease) version, the minimum version for
Azure.Identityis only1.8.0. Thus upgrading to the latest pre-release version ofMicrosoft.Data.SqlClientwould not resolve the security check violation for CVE-2023-36414.We are currently silencing this violation as it's coming from what appears to be an optional dependency for
Microsoft.Data.SqlClientthat we aren't leveraging via our usage ofMicrosoft.Data.SqlClient. This is on the assumption that CVE is not an actually an issue in this scenario - if you are aware of that being a faulty assumption do let me know.The only other alternative we see would be to take an artificial direct dependency on
Azure.Identityso we can specify a version >= 1.10.2, where the CVE is fixed. However we support a number of applications experiencing this issue and would prefer not to incur this kind of technical debt.Ideally we'd like to see a new version of this library published which updates the minimum version of
Azure.Identityto one where the CVE-2023-36414 is fixed.Keen to hear your thoughts on this issue! Let me know if you need more information.
The text was updated successfully, but these errors were encountered: