Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update HIGH vulnerable dependencies [SECURITY] #13

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update HIGH vulnerable dependencies [SECURITY] #13

wants to merge 1 commit into from
+11,922 −11,922

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 20, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Azure.Identity (source) 1.9.0 -> 1.11.4 age adoption passing confidence
lodash (source) 4.17.20 -> 4.17.21 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-36414

Azure Identity SDK is vulnerable to remote code execution.

Azure Identity Library for .NET Information Disclosure Vulnerability

CVE-2024-29992 / GHSA-wvxc-855f-jvrv

More information

Details

Azure Identity Library for .NET Information Disclosure Vulnerability

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Azure Identity SDK Remote Code Execution Vulnerability

CVE-2023-36414 / GHSA-5mfx-4wcx-rv27

More information

Details

Azure Identity SDK is vulnerable to remote code execution.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

CVE-2024-35255 / GHSA-m5vv-6r4h-3vj9 / GO-2024-2918

More information

Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2020-28500

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

CVE-2021-23337

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Regular Expression Denial of Service (ReDoS) in lodash

CVE-2020-28500 / GHSA-29mw-wpgm-hmr9 / SNYK-JAVA-ORGFUJIONWEBJARS-1074896 / SNYK-JAVA-ORGWEBJARS-1074894 / SNYK-JAVA-ORGWEBJARSBOWER-1074892 / SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895 / SNYK-JAVA-ORGWEBJARSNPM-1074893 / SNYK-JS-LODASH-1018905

More information

Details

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm / SNYK-JAVA-ORGFUJIONWEBJARS-1074932 / SNYK-JAVA-ORGWEBJARS-1074930 / SNYK-JAVA-ORGWEBJARSBOWER-1074928 / SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 / SNYK-JAVA-ORGWEBJARSNPM-1074929 / SNYK-JS-LODASH-1040724

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

  • CVSS Score: 7.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Azure/azure-sdk-for-net (Azure.Identity)

v1.11.4

Compare Source

1.11.4 (2024-06-10)

Bugs Fixed
  • Managed identity bug fixes

v1.11.3

Compare Source

1.11.3 (2024-05-07)

Bugs Fixed
  • Fixed a regression in DefaultAzureCredential probe request behavior for IMDS managed identity environments. #​43796

v1.11.2

Compare Source

1.11.2 (2024-04-19)

Bugs Fixed
  • Fixed an issue which caused claims to be incorrectly added to confidential client credentials such as DeviceCodeCredential #​43468

v1.11.1

Compare Source

1.11.1 (2024-05-07)

Other Changes
  • Updated Microsoft.Identity.Client and related dependencies to version 4.60.3

v1.11.0

Compare Source

1.11.0 (2024-04-09)

Bugs Fixed
  • AzurePowerShellCredential now handles the case where it falls back to legacy PowerShell without relying on the error message string.
Breaking Changes
  • DefaultAzureCredential now sends a probe request with no retries for IMDS managed identity environments to avoid excessive retry delays when the IMDS endpoint is not available. This should improve credential chain resolution for local development scenarios. See BREAKING_CHANGES.md.

v1.10.4

Compare Source

1.10.4 (2023-11-13)

Other Changes

v1.10.3

Compare Source

1.10.3 (2023-10-18)

Bugs Fixed
  • ManagedIdentityCredential will now correctly retry when the instance metadata endpoint returns a 410 response. #​28568
Other Changes
  • Updated Microsoft.Identity.Client dependency to version 4.56.0

v1.10.2

Compare Source

1.10.2 (2023-10-10)

Bugs Fixed
  • Bug fixes for development time credentials.

v1.10.1

Compare Source

1.10.1 (2023-09-12)

Bugs Fixed
  • ManagedIdentityCredential will fall through to the next credential in the chain in the case that Docker Desktop returns a 403 response when attempting to access the IMDS endpoint. #​38218
  • Fixed an issue where interactive credentials would still prompt on the first GetToken request even when the cache is populated and an AuthenticationRecord is provided. #​38431

v1.10.0

Compare Source

1.10.0 (2023-08-14)

Features Added
  • Added BrowserCustomization property to InteractiveBrowserCredential to enable web view customization for interactive authentication.
Bugs Fixed
  • ManagedIdentityCredential will no longer attempt to parse invalid json payloads on responses from the managed identity endpoint.
  • Fixed an issue where AzurePowerShellCredential fails to parse the token response from Azure PowerShell. #​22638
lodash/lodash (lodash)

v4.17.21

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Feb 20, 2024
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch from 70d1eb8 to 7bac8a6 Compare February 26, 2024 02:38
@renovate renovate bot changed the title Update dependency lodash to v4.17.21 [SECURITY] Update HIGH vulnerable dependencies [SECURITY] Feb 26, 2024
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch from 7bac8a6 to 22715f5 Compare April 14, 2024 14:45
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch from 22715f5 to 31606a7 Compare June 16, 2024 05:40
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 5 times, most recently from 6797dcd to 90c6349 Compare September 9, 2024 17:59
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 4 times, most recently from 1cbaf55 to effd6d1 Compare September 17, 2024 02:54
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 5 times, most recently from eef69f0 to 728d86c Compare September 24, 2024 02:54
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 4 times, most recently from d541efa to db2462a Compare October 5, 2024 02:21
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 7 times, most recently from 71cf991 to 73d48dd Compare October 13, 2024 02:48
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 2 times, most recently from b1ff130 to ea709cf Compare October 19, 2024 08:24
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 6 times, most recently from 6976716 to 29c03f5 Compare October 27, 2024 08:26
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 4 times, most recently from 8706eea to f14a69f Compare November 4, 2024 23:28
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 4 times, most recently from 8a4a815 to 7e1e0ee Compare November 13, 2024 05:58
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 4 times, most recently from b7658b6 to 7ddc76f Compare November 18, 2024 08:58
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch 7 times, most recently from a929b46 to 447d230 Compare November 29, 2024 05:35
@renovate renovate bot force-pushed the renovate/high-vulnerable-dependencies branch from 447d230 to d91ac1f Compare December 1, 2024 02:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants