Security vulnerability in one of the dependencies

[tiliev]

Hello,

Our vulnerability detection tool reports a security vulnerability in one of your dependencies:

Microsoft.Extensions.Configuration.AzureAppConfiguration@5.0.0 -> System.Text.Json@4.6.0 -> System.Text.Encodings.Web@4.6.0

The vulnerability is in System.Text.Encodings.Web@4.6.0. More information regarding the vulnerability itself - here.

Could you update the version of your System.Text.Json dependency to depend on a secure version of System.Text.Encodings.Web? The secure versions, as stated in the issue, are 4.5.1, 4.7.2 and >=5.0.1.

Thanks.

[avanigupta]

Hello @tiliev, thanks for reporting this issue. You're right, System.Text.Json v4.6.0 depends on System.Text.Encodings.Web v4.6.0 which has a security vulnerability. However, this vulnerability does not exist in Microsoft.Extensions.Configuration.AzureAppConfiguration package because we have another dependency that overrides the System.Text.Encodings.Web package to v4.7.2, which is a safe version. Here's the dependency chain:

Microsoft.Extensions.Configuration.AzureAppConfiguration (5.0.0) -> Azure.Data.AppConfiguration (1.2.0) -> Azure.Core (1.20.0) -> System.Text.Encodings.Web (4.7.2)

So technically, even though we reference System.Text.Json 4.6.0, the actual version of System.Text.Encodings.Web that gets installed is 4.7.2 because Azure.Core mandates that version.

That being said, we are also looking into addressing the issue more explicitly.

[tiliev]

@avanigupta thanks for your input. You are correct. That's good news.

At the end, the workaround we used is to explicitly reference System.Text.Encodings.Web@4.7.2 in our project. That made our vulnerability detection tool happy.

Thanks for you time.

[tiliev]

Closing as per dotnet/runtime#68931.