Update Dependency On Azure.Identity >= 1.10.2 For CVE-2023-36414

[BlythMeister]

Microsoft.Data.SqlClient has a dependency on Azure.Identity with a version that is below the remediation for CVE-2023-36414.

Azure.Identity minimum version should be >= 1.10.2 in order to ensure Microsoft.Data.SqlClient is not exposing consumers to the vulnerable version.

Due to nuget operating a lowest possible version resolution, as standard, any consumer of Microsoft.Data.SqlClient who does not also specify Azure.Identity will be vulnerable.

[JRahnama]

@BlythMeister there is a work in progress to update most of the dependencies versions in near future, in a month or less. We will update this thread when it is done.

[bteamsoftware]

I have a step in my build process that scans for vulnerabilities (transient or direct dependencies) and reports any vulnerability as a build warning. Every pipeline for MS should be reporting a build error if a vulnerability is detected with daily builds. It's too easy to do the scanning so there should be a process in place to automate this detection. $0.02

[aslatter]

This would also likely update the "DefaultCredential" to support Azure Workload Identity, which would be a welcome addition: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet#azure-identity-client-libraries

[thompson-tomo]

Do we have a timeline on when this fix will become GA as a number of other libraries will need to update their dependencies for this CVE?

[ErikEJ]

@thompson-tomo Current plan is ultimo Feb (this year) 😉

[zenmiao7]

Gentle ping. The problem is still here.

[JRahnama]

Gentle ping. The problem is still here.

CVE-2024-29992 is not related to this issue. The version was updated to 1.10.3 at the time. PR #2462 is under review to address the new CVE.

[BlythMeister]

@JRahnama that PR was merged 2 weeks ago. What's the timeline on a release.