-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-8292 on Akka.Streams and Akka.Remote #7191
Comments
FWIW, this is a dumb CVE that doesn't even have any real exposure in Akka.NET - it all stems from calls in System.Net.Http, which we don't use anywhere in the framework. |
What blows my mind is that CodeQL hasn't even detected on this on any of the hundreds of PRs its scanned since this CVE was filed - guess it's because we're not adding it in a new PR? |
Probably because CodeQL only scans the dependency graph 1 layer deep, it doesn't do a full dependency graph scan. |
We just need to bump Reactive.Streams to 1.0.3 and we should be golden |
Resolved via #7213 |
CVE report: https://nvd.nist.gov/vuln/detail/cve-2018-8292
Currently, Akka.Streams and Akka.Remote are affected by this CVE due to transitive dependencies to
System.Net.Http
andReactive.Streams
. Note that anything that references .NET Standard 1.6 will be affected by this CVE.Things that need to be done to correct this:
The text was updated successfully, but these errors were encountered: