Open Closed

Snyk.IO vulnerability reported on the framework code base #1982

User avatar
0
Repunjay created
  • ABP Framework version: v4.3.1
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • We have recently upgraded our project to .Net 5.0 and ABP framework version 4.3.1. During source code scanning by Snyk.IO tool, it is reporting below vulnerability in our projects. There is no direct reference of the package "System.Text.Encodings.Web" in our projects, so not sure if the ABP framework code is using this library and is not updatee. Could you please advise, how it can be resolved - thru ABP version upgrade or something else?

Remote Code Execution (RCE) System.Text.Encodings.Web 5.0.0 CVE-2021-26701 CWE-94

  • Also added the Dockerfile content of one of the projects which gets deployed in container

  • Use Alpine Base Image

FROM mcr.microsoft.com/dotnet/aspnet:5.0-alpine AS base WORKDIR /app EXPOSE 80 EXPOSE 443

Use Alpine Base Image

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine AS build WORKDIR /src COPY . . WORKDIR "/src/SCV.Litmus/aspnet-core/microservices/SCV.Litmus.FinanceManagement.HttpApi.Host"

RUN dotnet restore RUN dotnet build -c Release -o /app

FROM build AS publish RUN dotnet publish -c Release -o /app

FROM base AS final

upgrade musl to remove potential vulnerability

RUN apk upgrade musl

WORKDIR /app COPY --from=publish /app .

ENTRYPOINT ["dotnet", "SCV.Litmus.FinanceManagement.HttpApi.Host.dll"]

Go to accepted answer
3 Answer(s)
  • User Avatar
    0
    alper created
    Support Team Director

    The System.Text.Encodings.Web package is owned by Microsoft and used by the ABP Framework. See the reference github.com/abpframework/Volo.Abp.Core.csproj.

    You can update it in your project to the latest version 5.0.1

    Install-Package System.Text.Encodings.Web -Version 5.0.1
  • User Avatar
    0
    Repunjay created

    The System.Text.Encodings.Web package is owned by Microsoft and used by the ABP Framework. See the reference github.com/abpframework/Volo.Abp.Core.csproj.

    You can update it in your project to the latest version 5.0.1 Install-Package System.Text.Encodings.Web -Version 5.0.1

    As I mentioned earlier, we don't refer to System.Text.Encodings.Web package directly into our project. It seems an indirect dependency into our project through Volo.Abp.Core library. Please suggest -

    1. Which version of Volo.Abp.Core package should be used/upgraded in project to mitigate the dependency. Currenlty, we are using version 4.3.1 OR
    2. Will directly referrring/updating our project to use System.Text.Encodings.Web package resolve the issue.
  • User Avatar
    0
    alper created
    Support Team Director

    I know that it's not directly referenced to your project. but if you directly reference it, the vulnerable version will be updated to the latest. do not update a single ABP library! if you want to update ABP, use ABP CLI or ABP Suite to update it all.

    directly referencing will overwrite the current version System.Text.Encodings.Web package

Assignee
No one
Labels
Non yet
Made with ❤️ on ABP v8.2.0-preview Updated on March 25, 2024, 15:11