Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-24112 | System.Drawing.Common #2

Closed
mschaefer-gresham opened this issue Feb 1, 2023 · 6 comments
Closed

CVE-2021-24112 | System.Drawing.Common #2

mschaefer-gresham opened this issue Feb 1, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@mschaefer-gresham
Copy link

mschaefer-gresham commented Feb 1, 2023
edited
Loading

Please fix this security vulnerability.
@mschaefer-gresham mschaefer-gresham added the bug Something isn't working label Feb 1, 2023
@sungam3r
Copy link
Member

sungam3r commented Feb 1, 2023

Rel: DbUp/DbUp#404

@sungam3r
Copy link
Member

I see no references to System.Drawing.Common. Please reopen with additional info if any.

@paleocomburo
Copy link

It's not a direct inclusion, but an transient one. dbup-mysql 5.0.37 uses MySql.Data 8.0.33, which uses System.Threading.Tasks.Extensions 4.5.4, which uses System.Drawing.Common 4.7.0.

There is a work-around: reference a newer version of System.Drawing.Common in your application. That seems to satisfy my scanner at least. You could also consider referencing a newer version in the dbup-mysql library. But ultimately it should be fixed in the MySql.Data.

@mjauernig mjauernig reopened this Nov 9, 2023
@mjauernig
Copy link
Member

Would MySql.Data 8.2.0 fix this?

@paleocomburo
Copy link

Doesn't look like it:

$ cat .\ConsoleApp1.csproj                                                                                                                                                                                                             
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="MySql.Data" Version="8.2.0" />
  </ItemGroup>

</Project>

$ dotnet list package --vulnerable --include-transitive                                                                                                                                                                                

The following sources were used:
   https://api.nuget.org/v3/index.json
   https://pkgs.dev.azure.com/kpn/_packaging/iTV-Nuget/nuget/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Project `ConsoleApp1` has the following vulnerable packages
   [net7.0]:
   Transitive Package           Resolved   Severity   Advisory URL
   > System.Drawing.Common      4.7.0      Critical   https://github.com/advisories/GHSA-rxg9-xrhp-64gj

@droyad droyad transferred this issue from DbUp/DbUp Jan 30, 2024
@droyad
Copy link
Member

droyad commented Jul 29, 2024

All dependencies have been updated in #15

@droyad droyad closed this as completed Jul 29, 2024
@github-project-automation github-project-automation bot moved this from v6 to Done in Issue sorting Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Issue sorting
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@droyad @paleocomburo @mjauernig @sungam3r @mschaefer-gresham