dbatools icon indicating copy to clipboard operation
dbatools copied to clipboard

Published 20 hours ago • verified publisher icon dataplat

CVE-2024-29992 in Azure.Identity within dbatools.library/2024.4.12/core/lib

Open ernstae opened this issue 7 months ago • 1 comments

Verified issue does not already exist?

I have searched and found no existing issue

What error did you receive?

Summary

A medium-ranked CVE was detected running version 1.10.3 of Azure.Identity library embedded within dbatools https://nvd.nist.gov/vuln/detail/CVE-2024-29992

The latest version of that component is 1.13.2 and appears to resolve that vulnerability.

I'm required to make contact and identify that this has been detected in my implementation of dbatools, to raise awareness and to meet compliance for my environment.

Steps to Reproduce

Save-Module -Name Dbatools -Path context/ps_modules -Repository PSGallery -MinimumVersion 2.1.30

ag "Azure.Identity" --json
dbatools.library/2024.4.12/core/lib/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

dbatools.library/2024.4.12/core/lib/mac/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

Please confirm that you are running the most recent version of dbatools

Yes, this is validated on version 2.1.30

Other details or mentions

No response

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe)

PowerShell Host Version

Name Value

PSVersion 7.5.0 PSEdition Core GitCommitId 7.5.0 OS Darwin 23.6.0 Darwin Kernel Version 23.6.0: Thu Dec 19 20:44:50 PST 2024; root:xnu-10063.141.1.703.2~1/RELEASE_X86_64 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

SQL Server Edition and Build number

Not applicable

.NET Framework Version

Not applicable.

ernstae avatar Mar 28 '25 06:03 ernstae