Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System.Data.SqlClient v4.4.0 referenced by AWSXRayRecorder v2.14.0 has security issue #293

Open
OceanSJY opened this issue Mar 13, 2024 · 1 comment
Open

System.Data.SqlClient v4.4.0 referenced by AWSXRayRecorder v2.14.0 has security issue #293

OceanSJY opened this issue Mar 13, 2024 · 1 comment
Labels
pending release

Comments

@OceanSJY
Copy link

The System.Data.SqlClient v4.4.0 was highlighed by Veracode since it has high severity issue:

  • Issue ID: 271795222
  • Issue Type: Vulnerability
  • Severity: 8.7
  • Description: CVE-2024-0056: Credential Exposure
    Microsoft.Data.SqlClient is vulnerable to Credential Exposure. The vulnerability is due to improper handling of TLS connections, allowing an attacker to read or modify traffic between the server and client. The attacker would have to position themself between the client and server, resulting in database credential exposure.

Could you please release a new version to reference a new version (e.g. v4.8.6) of System.Data.SqlClient to fix this issue?
@mxiamxia
Copy link

Thanks for reporting it. Will take a look

aws-xray-sdk-dotnet/sdk/src/Handlers/SqlServer/AWSXRayRecorder.Handlers.SqlServer.csproj

Line 41 in 018bfa6

<PackageReference Include="System.Data.SqlClient" Version="4.4.0" />

@srprash srprash mentioned this issue Apr 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@OceanSJY @mxiamxia @srprash