Updating dependency with vulnerability in CMS causes runtime error

January 12, 2024 3:43 PM

Hi, we are on K13 on .NET6. We recently got an alert about a vulnerability as noted on this github advisory - https://github.com/advisories/GHSA-8g9c-28fc-mcx2. The solution is simply to update Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt to 6.34.0 to receive the patch. This works fine on the MVC sites, but a breaking change within those packages causes and error in the CMS at runtime as seen in the image below.

It looks like there was an update that required the key to be >512 bits that the CMS is not reaching. Is there a plan to address this to resolve this vulnerability?

Environment

Xperience by Kentico version: [13.0.131]
.NET version: [6]
Deployment environment: [Azure]
Link to relevant Xperience by Kentico documentation

Answers

🔗

Sean Wright (seangwright)

January 13, 2024 5:45 PM

@David

Hey! Welcome to the Kentico Community Portal!

This Q&A is focused on questions and discussions about Xperience by Kentico.

If you have questions about Kentico Xperience 13 and previous versions, you'll find more engagement and support over on DevNet's Q&A forums.

You can also try the Kentico Community Slack organization, which has a dedicated channel for Kentico Xperience 13.

Since this qustion is about a security related topic, I'd recommend you contact [email protected]

Answer

To answer this question, you have to login first.