Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@microsoft/signalr -> Exposure of Sensitive Information to an Unauthorized Actor in eventsource/eventsource prior to v2.0.2 #41829

Closed
mm-ryo opened this issue May 25, 2022 · 1 comment
Closed

@microsoft/signalr -> Exposure of Sensitive Information to an Unauthorized Actor in eventsource/eventsource prior to v2.0.2 #41829

mm-ryo opened this issue May 25, 2022 · 1 comment

Comments

@mm-ryo
Copy link

mm-ryo commented May 25, 2022
edited
Loading

Hi,

There is a critical security issue reported by NVD.
Could you upgrade eventsource to the latest version for @microsoft/signalr?

I checked the v6.0.5 of @microsoft/signalr package info. it was still using "^1.0.7"
https://github.com/dotnet/aspnetcore/blob/v6.0.5/src/SignalR/clients/ts/signalr/package.json

https://nvd.nist.gov/vuln/detail/CVE-2022-1650

.NET Version

6.0.4
@mm-ryo mm-ryo closed this as completed May 25, 2022
@mm-ryo
Copy link
Author

mm-ryo commented May 25, 2022

it was fixed in v1.1.1 of "eventsource/eventsource"

@blowdart blowdart mentioned this issue May 27, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jun 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mm-ryo