Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Dependency System.Text.Json 4.7.2 is affected by CVE-2021-26701 Security Vulnerability #1985

Closed
nmaric02-quest opened this issue Dec 14, 2022 · 1 comment
Closed

[Bug] Dependency System.Text.Json 4.7.2 is affected by CVE-2021-26701 Security Vulnerability #1985

nmaric02-quest opened this issue Dec 14, 2022 · 1 comment
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer
Milestone
December refresh

Comments

@nmaric02-quest
Copy link

Using latest version:
System.IdentityModel.Tokens.Jwt 6.25.1

with following transitive dependencies:
Microsoft.IdentityModel.JsonWebTokens 6.25.1
Microsoft.IdentityModel.Tokens 6.25.1

The problem is dependency on System.Text.Json, 4.7.2
This version is affected by CVE-2021-26701 (GHSA-ghhp-997w-qr28) through transitive dependency on System.Text.Encodings.Web 4.7.1.

The issue is fixed in subsequent releases of System.Text.Json - (>= 5.0.2)

Suggested fix:
Update dependency to the latest version of System.Text.Json
@brentschmaltz brentschmaltz added Customer reported Indicates issue was opened by customer Bug Product is not functioning as expected labels Dec 22, 2022
TimHannMSFT added a commit that referenced this issue Jan 11, 2023
@TimHannMSFT
Update System.Text.Encodings.Web to address #1985
39236c2
@TimHannMSFT TimHannMSFT mentioned this issue Jan 11, 2023
Merged
TimHannMSFT added a commit that referenced this issue Jan 12, 2023
@TimHannMSFT
Update System.Text.Encodings.Web to address #1985 (#1997)
73691c9
@KalleOlaviNiemitalo KalleOlaviNiemitalo mentioned this issue Feb 22, 2023
Closed
@TimHannMSFT TimHannMSFT mentioned this issue Aug 29, 2023
Open
@brentschmaltz brentschmaltz added this to the December refresh milestone Oct 10, 2023
@jennyf19
Copy link
Collaborator

Closing, as I'm assuming this is not an issue anymore with 7x? If I'm wrong, please re-open and we will prioritize. @nmaric02-quest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer
Projects
None yet
Milestone
December refresh
Development

No branches or pull requests
3 participants
@brentschmaltz @jennyf19 @nmaric02-quest