Skip to content

CVE-2020-22083 security vulnerability in botbuilder-python SDK #2078

New issue
New issue
Open
Open
CVE-2020-22083 security vulnerability in botbuilder-python SDK#2078
Labels
bugIndicates an unexpected problem or an unintended behavior.needs-triageThe issue has just been created and it has not been reviewed by the team.
@hisnkuanli

Description

@hisnkuanli
hisnkuanli
opened on Feb 21, 2024

Version

4.14.8

Describe the bug

There is a security vulnerability detected via Component Governance in DevOps. The severity is marked as Critical.

The details about this vulnerability:

image

In this SDK, the jsonpickle package is limited (>=1.2,<1.5), it is possible to use the latest version to avoid this security vulnerability?
Use version ranges 3rd party deps by cognifloyd · Pull Request #1468 · microsoft/botbuilder-python (github.com)

It is a blocking issue for our production service. Please help resolve it ASAP. Thanks.

To Reproduce

Use echo bot as an example, trigger a build in Azure DevOps, and enable Component Governance

Expected behavior

Pass Component Governance

Additional context

GHSA-j66q-qmrc-89rx
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugIndicates an unexpected problem or an unintended behavior.needs-triageThe issue has just been created and it has not been reviewed by the team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions