[Question]: Agent install being flagged for CVE-2024-21907 #4593
Assignees
Labels
Comments
KonstantinTyukalov
added
bug
external
misc
|
I am having the same issue. Any update? |
|
Thank you for reporting this! Issue summary: ETA of Resolution: July. |
|
Any news to share @martin-toman ? |
|
Safer approach: #4955 |
Merged
|
Does anyone know when MS should be releasing a new pipeline agent with the updated tf? |
|
any updates? |
|
This fix should be available in v3.244.1 |
|
I'm closing this issue as the fix has been rolled out. Please feel free to re-open it if you still experience this issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe your question
Hi all,
My company is using Wiz to scan various virtual machine resources, and my team is running some Windows build agents through Azure DevOps.
Agent version - 3.230.0
The agent and work directories for each agent service are being flagged by Wiz due to having older verisons of Newtonsoft.Json
(9.0.1 and 10.0.3) - I have tested upgrading to agent version 3.232.1 however that appears to still be using the same library references.
See vulnerability reference here: CVE-2024-21907
A specific example of one of these flags:
Is there currently a PR in progress to address this, or otherwise an ETA for resolution? Any input would be appreciated.
Thank you kindly,
Matthew
Versions
Azure DevOps Agent version 3.230.0 / Windows Server 2019 (for build agents)
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
Azure DevOps Server (Please specify exact version in the textbox below)
Operation system
Windows Server 2019
Version controll system
No response
Azure DevOps Server Version (if applicable)
Azure DevOps Server 2022.1
The text was updated successfully, but these errors were encountered: