Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency #522

Open
suuyashgupta opened this issue Feb 5, 2024 · 10 comments
Milestone

Comments

@suuyashgupta
Copy link

Microsoft.Owin.Security.WsFederation has a Newtonsoft.Json v10.0.3 package dependency which is vulnerable as can be seen here as well. Could you please upgrade this package to latest to resolve this vulnerability so we could also upgrade it? Thanks.

@suuyashgupta
Copy link
Author

The version has already been updated, it looks like, on Sep 8, 2022. We just have to create a new release?

@Tratcher
Copy link
Member

Tratcher commented Feb 5, 2024

You can update your Newtonsoft.Json dependency with a direct reference, you don't require any updates from Microsoft.Owin. This is common practice for patching.

@Tratcher Tratcher added this to the 4.2.3 milestone Feb 5, 2024
@suuyashgupta
Copy link
Author

@Tratcher Actually, I'm already using the latest version of Newtonsoft.Json in my project but MEND is still detecting the vulnerabilities of transitive packages such as Microsoft.Owin.

@Tratcher
Copy link
Member

Tratcher commented Feb 6, 2024

Then the tool isn't checking what you're actually using, just what some dependencies have referenced. You're fine if you've updated the dependency locally.

@suuyashgupta
Copy link
Author

@Tratcher There was one more thing I forgot to mention. project.assets.json file is showing those dependencies as well with lower versions of Newtonsoft. Could that cause any issue?

@Tratcher
Copy link
Member

Tratcher commented Feb 7, 2024

? I thought project.assets.json was only for .NET Core projects.

@suuyashgupta
Copy link
Author

@Tratcher Not sure how it's generated in our project built with .NET Framework. No one in the team seems to know about this.

@suuyashgupta
Copy link
Author

Do we have a timeline when 4.2.3 would be released?

@Tratcher
Copy link
Member

No, you'd have to convince @adityamandaleeka that it's urgent.

@jthorpe80
Copy link

I'm also waiting on 4.2.3 for #513 . 4.2.2 was last released almost two years ago, so why the delay?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants