-
Notifications
You must be signed in to change notification settings - Fork 866
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question]: Agent install being flagged for CVE-2024-21907 #4593
Comments
I am having the same issue. Any update? |
Thank you for reporting this! Issue summary: ETA of Resolution: July. |
Any news to share @martin-toman ? |
Safer approach: #4955 |
Does anyone know when MS should be releasing a new pipeline agent with the updated tf? |
any updates? |
This fix should be available in v3.244.1 |
I'm closing this issue as the fix has been rolled out. Please feel free to re-open it if you still experience this issue |
Describe your question
Hi all,
My company is using Wiz to scan various virtual machine resources, and my team is running some Windows build agents through Azure DevOps.
Agent version - 3.230.0
The agent and work directories for each agent service are being flagged by Wiz due to having older verisons of Newtonsoft.Json
(9.0.1 and 10.0.3) - I have tested upgrading to agent version 3.232.1 however that appears to still be using the same library references.
See vulnerability reference here: CVE-2024-21907
A specific example of one of these flags:
Is there currently a PR in progress to address this, or otherwise an ETA for resolution? Any input would be appreciated.
Thank you kindly,
Matthew
Versions
Azure DevOps Agent version 3.230.0 / Windows Server 2019 (for build agents)
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
Azure DevOps Server (Please specify exact version in the textbox below)
Operation system
Windows Server 2019
Version controll system
No response
Azure DevOps Server Version (if applicable)
Azure DevOps Server 2022.1
The text was updated successfully, but these errors were encountered: