Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Still references potentially vulnerable Microsoft.AspNetCore.Authentication.JwtBearer 5.0.0 package #1532

Closed
Peter-Juhasz opened this issue Nov 16, 2021 · 1 comment
Closed

Still references potentially vulnerable Microsoft.AspNetCore.Authentication.JwtBearer 5.0.0 package #1532

Peter-Juhasz opened this issue Nov 16, 2021 · 1 comment
Labels
bug Something isn't working fixed scenario: improved-security
Milestone
1.21.0

Comments

@Peter-Juhasz
Copy link

Which version of Microsoft Identity Web are you using?
1.20.0

Where is the issue?
Package doesn't support .NET 6 yet and references a vulnerable .NET 5 package, and our build breaks on dependency vulnerability scan.

Repro

<PackageReference Include="Microsoft.Identity.Web" Version="1.20.0" />

or

<PackageReference Include="Microsoft.Identity.Web" Version="1.*" />

Expected behavior
No vulnerable transitive dependencies.

Actual behavior
dotnet list App.sln package --vulnerable --include-transitive

Project `App` has the following vulnerable packages
   [net6.0]: 
   Transitive Package                                   Resolved   Severity   Advisory URL                                     
   > Microsoft.AspNetCore.Authentication.JwtBearer      5.0.0      Moderate   https://github.com/advisories/GHSA-q7cg-43mg-qp69

image

Possible solution
Upgrade all references to .NET 6.
@jmprieur jmprieur added bug Something isn't working scenario: improved-security labels Nov 17, 2021
@jennyf19 jennyf19 mentioned this issue Nov 17, 2021
Merged
@jennyf19 jennyf19 added the fixed label Nov 18, 2021
@jennyf19 jennyf19 added this to the 1.21.0 milestone Nov 20, 2021
@jennyf19
Copy link
Collaborator

Included in 1.21.0 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working fixed scenario: improved-security
Projects
None yet
Milestone
1.21.0
Development

No branches or pull requests
3 participants
@Peter-Juhasz @jmprieur @jennyf19