Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ SignalR ] TypeScript EventSource dependency security vulnerability #69546

Closed
GO3LIN opened this issue May 19, 2022 · 3 comments
Closed

[ SignalR ] TypeScript EventSource dependency security vulnerability #69546

GO3LIN opened this issue May 19, 2022 · 3 comments
Labels
area-System.Diagnostics.Tracing

Comments

@GO3LIN
Copy link

GO3LIN commented May 19, 2022

The EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?
@ghost ghost added the untriaged New issue has not been triaged by the area owner label May 19, 2022
@ghost
Copy link

ghost commented May 19, 2022

Tagging subscribers to this area: @tarekgh, @tommcdon, @pjanotti
See info in area-owners.md if you want to be subscribed.

Issue Details

The EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?

Author: GO3LIN
Assignees: -
Labels:

area-System.Diagnostics.Tracing, untriaged
Milestone: -

@tommcdon
Copy link
Member

Hello @GO3LIN! I'm closing this issue as this repo is for the .NET implementation of EventSource. This particular problem seems be related to the javascript eventsource, which seems to be getting the 1.1 version of eventsource : EventSource/eventsource#273 (comment). Since there may be a javascript package reference from signalr, please feel free to open a tracking issue in https://github.com/signalr/signalr.

@ghost ghost removed the untriaged New issue has not been triaged by the area owner label May 19, 2022
@BrennanConroy
Copy link
Member

FYI ASP.NET Core SignalR is located at https://github.com/dotnet/aspnetcore

For this issue specifically, EventSource 1.1.1 is not vulnerable, but most vulnerability databases don't seem to be updated yet. EventSource/eventsource#273 (comment)

@dotnet dotnet locked as resolved and limited conversation to collaborators Jun 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Diagnostics.Tracing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GO3LIN @BrennanConroy @tommcdon