wcf
wcf copied to clipboard
dotnet
Improper Restriction of XML External Entity Reference [System.Security.Cryptography.Xml]
Overview Affected versions of this package are vulnerable to Improper Restriction of XML External Entity Reference during the XML signature verification process.
Remediation Upgrade System.Security.Cryptography.Xml to version 4.7.1, 6.0.1 or higher.
-> [email protected] |-> [email protected] |--->[email protected] |------> Fixed in: System.Security.Cryptography.Xml 4.7.1,6.0.1
Could this package be updated to version 6.0.1 https://github.com/dotnet/wcf/blob/main/eng/Versions.props#L37 ?
We will update this, but FYI WCF client isn't vulnerable to this issue. I examined the problem the fix addresses and the WCF client doesn't have the vulnerable scenario. Basically, we never use SignedXml to verify a signature on a received message, we only use it to sign a security header on an outgoing message and the entire payload for that is generated by WCF. The only purpose for WCF to updating our dependency and release a new package (which we will do) is to satisfy any systems which scan for vulnerable dependencies. There is no actual threat to using WCF with an older version.
FYI there will be a small delay on this as we missed updating all our dependency versions in our last release so I want to evaluate and update everything to the latest version at once.