Hi,
I upgraded my asp.net mvc project to DotNet7 and updated Telerik to Progress® Telerik® UI for ASP.NET Core version 2023.3.1010, which is the latest. This Telerik package pulls in Microsoft.AspNetCore.Mvc.Core and Microsoft.AspNetCore.Mvc.Cors. Both these packages are depreciated and contain vulnerabilities as noted in CVE-2019-0548: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0548
Questions:
- Do you plan on removing the reference to the depreciated packages? Apparently everything is now included in the base aspnet SDK Microsoft.NET.Sdk.Web.
- Does using this package leave us vulnerable to the issue noted in the CVE?
Thanks!
Rank 1
Iron
Iron
1 Answer, 1 is accepted
Hello Russell,
At this stage, Telerik UI for ASP.NET Core targets netstandard2.0, and some of the older versions referenced are the minimal versions required, so we can ensure the product will be compatible with older versions of .NET Core like, .NET5, .NET Core 3.1, and .NET Core 2.1.
We already planned to remove older and vulnerable dependencies:
https://github.com/telerik/kendo-ui-core/issues/6999
Since the vulnerability results from ASP.NET Core 2.1/ASP.NET Core 2.2, you can install a newer version of the Microsoft.AspNetCore.Mvc.Core package via NuGet. In terms of the Microsoft.AspNetCore.Mvc.Cors pacakge is used indirectly by Microsoft.AspNetCore.Mvc.Core:
Regards, Mihaela Progress Telerik