dbatools icon indicating copy to clipboard operation
dbatools copied to clipboard
verified publisher icon dataplat

CVE-2024-29992 in Azure.Identity within dbatools.library/2024.4.12/core/lib

Open ernstae opened this issue 1 year ago • 1 comments

Verified issue does not already exist?

I have searched and found no existing issue

What error did you receive?

Summary

A medium-ranked CVE was detected running version 1.10.3 of Azure.Identity library embedded within dbatools https://nvd.nist.gov/vuln/detail/CVE-2024-29992

The latest version of that component is 1.13.2 and appears to resolve that vulnerability.

I'm required to make contact and identify that this has been detected in my implementation of dbatools, to raise awareness and to meet compliance for my environment.

Steps to Reproduce

Save-Module -Name Dbatools -Path context/ps_modules -Repository PSGallery -MinimumVersion 2.1.30

ag "Azure.Identity" --json
dbatools.library/2024.4.12/core/lib/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

dbatools.library/2024.4.12/core/lib/mac/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

Please confirm that you are running the most recent version of dbatools

Yes, this is validated on version 2.1.30

Other details or mentions

No response

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe)

PowerShell Host Version

Name Value

PSVersion 7.5.0 PSEdition Core GitCommitId 7.5.0 OS Darwin 23.6.0 Darwin Kernel Version 23.6.0: Thu Dec 19 20:44:50 PST 2024; root:xnu-10063.141.1.703.2~1/RELEASE_X86_64 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

SQL Server Edition and Build number

Not applicable

.NET Framework Version

Not applicable.

ernstae avatar Mar 28 '25 06:03 ernstae

Thank you. we are trying our best to update the library but it is a huge challenge as Microsoft's dependencies for each library sometimes conflict and we have to use our limited knowledge to try to fix it. This is actively being worked on, however and we hope to have a fix soon.

potatoqualitee avatar Mar 28 '25 10:03 potatoqualitee

linked to https://github.com/dataplat/dbatools.library/pull/16 as other reports.

niphlod avatar Jul 07 '25 20:07 niphlod

Thank you for your report! I just setup a new pipeline to make these easier to resolve. please see our newest release 2.5.0 for security fixes.

https://github.com/dataplat/dbatools/releases/tag/v2.5.0

potatoqualitee avatar Jul 20 '25 07:07 potatoqualitee