Telerik.UI.for.AspNet.Core - CVE-2019-0548

1 Answer 265 Views

Security

Russell asked on 31 Oct 2023, 07:41 PM

Hi,

I upgraded my asp.net mvc project to DotNet7 and updated Telerik to Progress® Telerik® UI for ASP.NET Core version 2023.3.1010, which is the latest. This Telerik package pulls in Microsoft.AspNetCore.Mvc.Core and Microsoft.AspNetCore.Mvc.Cors. Both these packages are depreciated and contain vulnerabilities as noted in CVE-2019-0548: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0548

Questions:
- Do you plan on removing the reference to the depreciated packages? Apparently everything is now included in the base aspnet SDK Microsoft.NET.Sdk.Web.

- Does using this package leave us vulnerable to the issue noted in the CVE?

Thanks!

Russell

commented on 01 Nov 2023, 04:37 PM

I see in the advisory that no exploit has been registered. My first question is still relevant. The components shows up in my SBOM and triggers a high vulnerability in my vulnerability listing.

1 Answer, 1 is accepted

Accepted

answered on 03 Nov 2023, 03:43 PM

Hello Russell,

At this stage, Telerik UI for ASP.NET Core targets netstandard2.0, and some of the older versions referenced are the minimal versions required, so we can ensure the product will be compatible with older versions of .NET Core like, .NET5, .NET Core 3.1, and .NET Core 2.1.

We already planned to remove older and vulnerable dependencies:

https://github.com/telerik/kendo-ui-core/issues/6999

Since the vulnerability results from ASP.NET Core 2.1/ASP.NET Core 2.2, you can install a newer version of the Microsoft.AspNetCore.Mvc.Core package via NuGet. In terms of the Microsoft.AspNetCore.Mvc.Cors pacakge is used indirectly by Microsoft.AspNetCore.Mvc.Core:

Regards, Mihaela Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages. If you're new to the Telerik family, be sure to check out our getting started resources, as well as the only REPL playground for creating, saving, running, and sharing server-side code.