SDK of HPC 2016 update 3 has an indirect dependency with a vulnerable package RRS feed

  • Question

  • I am scanning the OSS-index for all used packages of our .net project by using a tool that also includes transitive packages (hence the indirect dependencies). With the tools the following vulnerability shows up

    [3/373] Microsoft.Data.OData 5.8.2 [VULNERABLE]  1 known vulnerabilities,  1 affecting installed package version(s): [5.8.2]

    --[1/1] [CVE-2018-8269]  Data Handling


        --A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.


      --Id: 7688cf24-9da8-4906-b18c-0fa0ea4bfca8

      --Reference: [cannot submit question with a link so have removed it]

      --Provided by: OSS Index

    If I am not mistaken, this comes from the package Microsoft.HPC.SDK (5.3.6437) that seems to have an indirect dependency with it. Any chance that this can be fixed? The subsequent package on NuGet is not compatible with 2016 update 3 so that I cannot use.

    Tuesday, May 19, 2020 8:31 AM