Open Closed

Vulnerabilities reported while scanning code base #419


0
Repunjay created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v3.0.4
  • UI type: Angular
  • Tiered (MVC) or Identity Server Seperated (Angular): yes
  • Exception message and stack trace:
  • We scanned our project code base through Snyk tool (Synk.io) and it reported few vulnerabilites. While reviewing we found that the assemblies like "System.Net.Http" and "System.Text.RegularExpressions" are not directly referenced in our code base and thus we could n't upgrade them to latest and resolve these issues. Is this something, ABP can do upgrade of framework code base in order for us to address these issues. Below are the vulnerabilities reported -

Denial of Service (DoS) Improper Certificate Validation Information Exposure Regular Expression Denial of Service (ReDoS) Privilege Escalation Authentication Bypass

Vulnerable module: System.Net.Http Introduced through: [email protected] and [email protected] Exploit maturity: No known exploit Fixed in: 4.1.2, 4.3.2 Introduced through: [email protected]* › [email protected][email protected][email protected] Introduced through: [email protected]* › [email protected][email protected][email protected][email protected] Introduced through: [email protected]* › [email protected][email protected][email protected][email protected]

Vulnerable module: System.Text.RegularExpressions Introduced through: [email protected] Exploit maturity: No known exploit Fixed in: 4.3.1 Introduced through: [email protected]* › [email protected][email protected]

  • Steps to reproduce the issue:

1 Answer(s)
  • 0
    alper created
    Support Team

    I couldn't find System.Net.Http or System.Text.RegularExpressions in ABP new projects. Maybe one of your libraries added these DLLs.,

    Angular:


    MVC: