Component Governance: Need to upgrade dependencies. (CVE-2020-1045) (CVE-2021-26701) #2199
Description
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045
- Upgrade to version Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701
- Upgrade to version System.Text.Encodings.Web - 4.5.1,4.7.2,5.0.1
Package at fault:
- Microsoft.ApplicationInsights.AspNetCore
- Microsoft.AspNetCore.Hosting v2.1.1
- Microsoft.AspNetCore.Http v2.1.1 <----- CVE-2020-1045
- Microsoft.AspNetCore.Hosting.Abstractions v2.1.1
- Microsoft.AspNetCore.Http.Abstractions v2.2.0
- System.Text.Encodings.Web v4.5.0 <----- CVE-2021-26701
- Microsoft.AspNetCore.Http.Abstractions v2.2.0
- Microsoft.AspNetCore.Hosting v2.1.1
Remediation
- Upgrading to Microsoft.AspNetCore.Hosting v2.2.0 will upgrade Microsoft.AspNetCore.Http to v2.2.0.
- We must take a temporary explicit dependency on System.Text.Encodings.Web until one of the other dependencies in this chain is updated.