Is FluentResults.Extensions.AspNetCore vulnerable to Microsoft.aspnetcore.http.features DOS high security vulnerability reported (CVE-2022-21986)

[jasonmcfarlanekoerber]

I have added Fluent Results to my .net8 app, last week Veracode reported that there is a high security DOS issue in microsoft.aspnetcore.http.features which is a dependency in FluentResults.Extensions.AspNetCore. The versioning for microsoft.aspnetcore.http.features is 2.2.0.

Is it vulnerable to this DOS?

[Kysluss]

Leaving this here in case anyone else stumbles on it. I think the warning is correct, but the dependency to Microsoft.AspNetCore.Http.Features is a transitive dependency to this package and should be safe to upgrade on your own (either through NuGet or adding a direct reference to it in your csproj file). Nothing that FluentResults.Extensions.AspNetCore does directly uses that package and is only installed as a byproduct of needing references the Mvc framework.

[jasonmcfarlanekoerber]

Will do. Thanks Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Kysluss ***@***.***> Sent: Thursday, August 22, 2024 7:49:09 PM To: altmann/FluentResults ***@***.***> Cc: Jason McFarlane ***@***.***>; Author ***@***.***> Subject: Re: [altmann/FluentResults] Is FluentResults.Extensions.AspNetCore vulnerable to Microsoft.aspnetcore.http.features DOS high security vulnerability reported (CVE-2022-21986) (Issue #219) Leaving this here in case anyone else stumbles on it. I think the warning is correct, but the dependency to Microsoft.AspNetCore.Http.Features is a transitive dependency to this package and should be safe to upgrade on your own (either through NuGet or adding a direct reference to it in your csproj file). Nothing that FluentResults.Extensions.AspNetCore does directly uses that package and is only installed as a byproduct of needing references the Mvc framework. — Reply to this email directly, view it on GitHub<#219 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BAOOTER3CSZSW2LJQJUTZKLZSZ2HLAVCNFSM6AAAAABMPB4SF6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBVHEZDSMRVHE>. You are receiving this because you authored the thread.Message ID: ***@***.***> ' Körber Supply Chain This document and all information therein are provided in confidence and may not be disclosed to any third party without the express written permission of the disclosing party. The companies of the Körber Group take the protection of your personal data very seriously. Read more under https://www.koerber.com/en/gdpr '.