I have…
- [x] Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.
I’m submitting a…
- [ ] Regression (a behavior that stopped working in a new release)
- [x] Bug report
- [ ] Performance issue
- [ ] Documentation issue or request
Current behavior
There is a transitive dependency in Squidex.Extensions on log4net 2.0.8 (CVE-2018-1285).
Expected behavior
No critical vulnerabilities are reported for dependencies.
Minimal reproduction of the problem
Run Mend against current Squiidex backend solution.
Environment
- [ ] Self hosted with docker
- [x] Self hosted with IIS
- [ ] Self hosted with other version
- [ ] Cloud version
Version: Latest
Browser:
- [ ] Chrome (desktop)
- [ ] Chrome (Android)
- [ ] Chrome (iOS)
- [ ] Firefox
- [ ] Safari (desktop)
- [ ] Safari (iOS)
- [ ] IE
- [ ] Edge
Others:
As we add a custom extension to Squidex before building and deploying it we perform security scans as with all our other applications.
Turns out there are some dependencies on deprecated NuGet packages around Confluent that have a dependency on log4net 2.0.8, but as they are deprecated it is highly unlikely they will ever be updated to target a non-vulnerable version of log4net so solution seems to be to use the new versions of those deprecated packages.
I have raised an untested PR for what I believe are the changes required to remove this vulnerable transitive dependency: https://github.com/Squidex/squidex/pull/1039
It’s probable that this dependency is not effective against your application but just wanted to raise awareness of it and the use of deprecated packages in case it gets flagged for others…