Skip to content

CVE-2024-29992 in Azure.Identity within dbatools.library/2024.4.12/core/lib #9636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ernstae opened this issue Mar 28, 2025 · 1 comment
Open

CVE-2024-29992 in Azure.Identity within dbatools.library/2024.4.12/core/lib #9636

ernstae opened this issue Mar 28, 2025 · 1 comment
Labels
bugs life triage required New issue that has not been reviewed by maintainers

Comments

@ernstae
Copy link

ernstae commented Mar 28, 2025

Verified issue does not already exist?

I have searched and found no existing issue

What error did you receive?

Summary

A medium-ranked CVE was detected running version 1.10.3 of Azure.Identity library embedded within dbatools
https://nvd.nist.gov/vuln/detail/CVE-2024-29992

The latest version of that component is 1.13.2 and appears to resolve that vulnerability.

I'm required to make contact and identify that this has been detected in my implementation of dbatools, to raise awareness and to meet compliance for my environment.

Steps to Reproduce

Save-Module -Name Dbatools -Path context/ps_modules -Repository PSGallery -MinimumVersion 2.1.30

ag "Azure.Identity" --json
dbatools.library/2024.4.12/core/lib/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

dbatools.library/2024.4.12/core/lib/mac/sqlpackage.deps.json
13:          "Azure.Identity": "1.10.3",
793:      "Azure.Identity/1.10.3": {
804:          "lib/netstandard2.0/Azure.Identity.dll": {
923:          "Azure.Identity": "1.10.3",
1779:          "Azure.Identity": "1.10.3",
1862:          "Azure.Identity": "1.10.3",
1946:          "Azure.Identity": "1.10.3",
2031:          "Azure.Identity": "1.10.3",
2115:          "Azure.Identity": "1.10.3",
2220:    "Azure.Identity/1.10.3": {

Please confirm that you are running the most recent version of dbatools

Yes, this is validated on version 2.1.30

Other details or mentions

No response

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe)

PowerShell Host Version

Name Value

PSVersion 7.5.0
PSEdition Core
GitCommitId 7.5.0
OS Darwin 23.6.0 Darwin Kernel Version 23.6.0: Thu Dec 19 20:44:50 PST 2024; root:xnu-10063.141.1.703.2~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

SQL Server Edition and Build number

Not applicable

.NET Framework Version

Not applicable.
@ernstae ernstae added bugs life triage required New issue that has not been reviewed by maintainers labels Mar 28, 2025
@potatoqualitee
Copy link
Member

Thank you. we are trying our best to update the library but it is a huge challenge as Microsoft's dependencies for each library sometimes conflict and we have to use our limited knowledge to try to fix it. This is actively being worked on, however and we hope to have a fix soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugs life triage required New issue that has not been reviewed by maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ernstae @potatoqualitee