Base solution for your next web application
Open Closed

Vulnerabilities in release 13.2 #12097


User avatar
0
henriksorensen created

I observed a number of NuGet packages with known, medium and high, vulnerabilities in the latest release 13.2. Do Asp.Net Zero do any vulnerability scanning before a release?

Specifically I detected these vulnerabilities:

  • system.text.regularexpressions.4.3.0.nupkg
  • microsoft.identitymodel.jsonwebtokens.6.15.0.nupkg
  • bouncycastle.cryptography.2.3.0.nupkg
  • system.text.json.8.0.3.nupkg
  • system.text.regularexpressions.4.3.0.nupkg
  • Azure.Identity' 1.11.2

Please confirm that you are aware of these NuGet package with vulnerabilities?

Please, let know if or when these packages are updated in the Asp.Net Zero .Net 8 solution?

Br. Tom Andersen


4 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @henriksorensen

    We upgrade all NuGet packages in each version. The new version of AspNet Zero (13.3) will be released today or tomorrow.

  • User Avatar
    0
    henriksorensen created

    Thanks for a quick response! Looking forward to the new release. Some of these vulnerabilities are due to transitive dependencies and may need a bit work apart from upgrading the direct dependencies. I'll try the new release next week.

    Br. Tom

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    The new release is out. If you can create an issue on https://github.com/aspnetzero/aspnet-zero-core, we will also check this issue.

  • User Avatar
    0
    henriksorensen created

    Hi Thanks for the new release. Looks good! One vulnerability remains in the backend code: System.Text.RegularExpressions 4.3.0 High https://github.com/advisories/GHSA-cmhx-cq75-c4mj It is a transitive package in all projects. The fix is to explicit take a dependency on System.Text.RegularExpressions 4.3.1

    I'll create an issue on git hub.