[CSHARP-3869] Update SharpCompress to remedy vulnerability Created: 20/Sep/21 Updated: 28/Oct/23 Resolved: 22/Nov/21 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.14.0 |
| Type: | Task | Priority: | Unknown |
| Reporter: | Aleksander Sleire | Assignee: | Dmitry Lukyanov (Inactive) |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Description |
|
There is a vulnerability in SharpCompress versions earlier than 0.29.0 as reported by Snyk: https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-1585664 As noted in below comments, the driver's usage of SharpCompress does not expose the vulnerability.
|
| Comments |
| Comment by Githook User [ 22/Nov/21 ] |
|
Author: {'name': 'Dmitry Lukyanov', 'email': 'dmitry.lukyanov@mongodb.com', 'username': 'DmitryLukyanov'}Message: |
| Comment by Dmitry Lukyanov (Inactive) [ 20/Sep/21 ] |
|
Hey aleksander@idfy.io, I've checked your suggestion. Looking at the Directory Traversal vulnerability description, it looks like we're safe now since the provided description says that it can be a problem only if ExtractFullPath is set to true. Looking at the source code, it happens only in tests by default and we don't set this option in the driver, so likely we're safe now. However it looks like a good enough idea to have the version of this dependency up to date in any case. Unfortunately, I see a bug in latest versions that I filed here. So I move this ticket to blocked until this issue will be resolved. |
| Comment by Aleksander Sleire [ 20/Sep/21 ] |
|
Interestingly, Site247 says that the link does not work in America. This link should work: https://snyk.io/vuln/nuget:sharpcompress Can you see the Directory Traversal vulnerability there? |
| Comment by Jeffrey Yemin [ 20/Sep/21 ] |
|
Probably the website required you to log in. |
| Comment by Aleksander Sleire [ 20/Sep/21 ] |
|
Hi Jeffrey, I don't know how it can produce a 404. It works for me in an incognito window:
|
| Comment by Jeffrey Yemin [ 20/Sep/21 ] |
|
The link you provided generates an HTTP 404. Can you provide an updated link? Thanks. |