[CSHARP-3869] Update SharpCompress to remedy vulnerability Created: 20/Sep/21  Updated: 28/Oct/23  Resolved: 22/Nov/21

Status: Closed
Project: C# Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 2.14.0

Type: Task Priority: Unknown
Reporter: Aleksander Sleire Assignee: Dmitry Lukyanov (Inactive)
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-09-20-14-50-06-298.png     PNG File image-2021-09-20-16-38-20-494.png    
Issue Links:
Duplicate
is duplicated by CSHARP-3871 CVE-2021-39208 in SharpCompress Nuget Closed
Related

 Description   

There is a vulnerability in SharpCompress versions earlier than 0.29.0 as reported by Snyk: https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-1585664

As noted in below comments, the driver's usage of SharpCompress does not expose the vulnerability.

 



 Comments   
Comment by Githook User [ 22/Nov/21 ]

Author:

{'name': 'Dmitry Lukyanov', 'email': 'dmitry.lukyanov@mongodb.com', 'username': 'DmitryLukyanov'}

Message: CSHARP-3869: Update SharpCompress to remedy vulnerability. (#690)
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/9e82a088cec2f98e5d7c85010ef783e0c20989e7

Comment by Dmitry Lukyanov (Inactive) [ 20/Sep/21 ]

Hey aleksander@idfy.io,

I've checked your suggestion. Looking at the Directory Traversal vulnerability description, it looks like we're safe now since the provided description says that it can be a problem only if ExtractFullPath is set to true. Looking at the source code, it happens only in tests by default and we don't set this option in the driver, so likely we're safe now.

However it looks like a good enough idea to have the version of this dependency up to date in any case. Unfortunately, I see a bug in latest versions that I filed here. So I move this ticket to blocked until this issue will be resolved.

Comment by Aleksander Sleire [ 20/Sep/21 ]

Interestingly, Site247 says that the link does not work in America.

This link should work: https://snyk.io/vuln/nuget:sharpcompress

Can you see the Directory Traversal vulnerability there?

Comment by Jeffrey Yemin [ 20/Sep/21 ]

Probably the website required you to log in.

Comment by Aleksander Sleire [ 20/Sep/21 ]

Hi Jeffrey, 

I don't know how it can produce a 404. It works for me in an incognito window: 

Comment by Jeffrey Yemin [ 20/Sep/21 ]

Hi aleksander@idfy.io

The link you provided generates an HTTP 404. Can you provide an updated link?

Thanks.

Generated at Wed Feb 07 21:46:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.