Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability))

Question

Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability))

LenaVinogradov opened this issue 16 days ago · 2 comments

Similar to the #2421, please update Worker Storage extension dependencies as currently references Azure.Identity package has known vulnerability:
CVE-2024-35255
GHSA-m5vv-6r4h-3vj9

Answer 1 · 2024-06-20T14:21:31.000Z

Specifically, Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.3.0 includes Microsoft.Extensions.Azure 1.7.3 and that includes the now vulnerable version of Azure.Identity.
Microsoft.Extensions.Azure has already had a release (1.7.4) with a non-vulnerable Azure.Identity so we are waiting for a new version of Microsoft.Azure.WebJobs.Extensions.Storage.Queues and for that to be deployed to the .azurefunctions folder when building.