Handle Component Governance issue - Upgrade System.Drawing.Common from 4.7.0 to 4.7.2 to fix the vulnerability

[deeguMSFT]

Handle Component Governance issue - Upgrade System.Drawing.Common from 4.7.0 to 4.7.2 to fix the vulnerability

There is a vulnerability (Severity: Critical) in version 4.7.0 of component System.Drawing.Common. Package dependency tree:
└─Microsoft.Azure.WebJobs.Logging.ApplicationInsights 3.0.41 - NuGet
└─Microsoft.ApplicationInsights.AspNetCore 2.21.0 - NuGet
└─Microsoft.ApplicationInsights.PerfCounterCollector 2.21.0 - NuGet
└─System.Diagnostics.PerformanceCounter 4.7.0 - NuGet
└─System.Configuration.ConfigurationManager 4.7.0 - NuGet
└─System.Security.Permissions 4.7.0 - NuGet
└─System.Windows.Extensions 4.7.0 - NuGet
└─System.Drawing.Common 4.7.0 - NuGet

The remediation steps offered by Component Governance are as follows: Upgrade System.Drawing.Common from 4.7.0 to 4.7.2 to fix the vulnerability.

[bhagyshricompany]

Hi @deeguMSFT Thanks for reporting please try with version 6.0.0 seems working fine.

[bhagyshricompany]

Hopes it working fine no update if have please raise new request for the same.Thanks

[deeguMSFT]

Hi @bhagyshricompany this fix is needed in stable for a SFI issue, so that build pipeline can pick the appropriate build number.
Any idea when the fixed version be available in stable?

The current version I am seeing in stable is 3.0.41, via edge.sv repo.

Also, which pre-release version I should try for testing the fix, I am seeing 3.1.0-11845 in latest prerelease. I am not seeing version 6.0.0.

[GillesVercammen]

Hey, why is this closed exactly? because this is an actual CVE issues.
Current dependency is Microsoft.ApplicationInsights.AspNetCore 2.21.0 , which has and underlying dependency on System.Drawing.Common 4.7.0, which has a CVE vulnerability.

Bumping Microsoft.ApplicationInsights.AspNetCore 2.21.0 to 2.22.0 should do the job.
-> microsoft/ApplicationInsights-dotnet#2707
-> GHSA-rxg9-xrhp-64gj

Thank you!