FineCodeCoverage icon indicating copy to clipboard operation
FineCodeCoverage copied to clipboard
verified publisher icon FortuneN

CVE 2018-1285 critical vulnerability

Open totszwai opened this issue 1 year ago • 1 comments

Hello, this extension is being flagged with a critical vulnerability

image

Looks like FineCodeCoverage is using an extremely old version of Apache log4net, they already had a fix for this 4 years ago. https://github.com/apache/logging-log4net/releases

totszwai avatar May 27 '24 12:05 totszwai

I took the latest release from log4net, version 2.0.17. Grabbed the DLL from the net45 folder and replaced it in my local install of FineCodeCoverage, which seems to get rid of the vulnerability flagging and FineCodeCoverage extension seem to still run just fine.

totszwai avatar May 27 '24 13:05 totszwai

There is a version of OpenCover (4.7.1221) using log4net 2.0.12 that correct this vulnerability. https://github.com/OpenCover/opencover

However, I can't update the zip file in this project because it requires some kind of conversion.

This project should use opencover.4.7.1221.zip instead of opencover.4.7.922.zip

@FortuneN

egauthierLesters avatar Feb 07 '25 19:02 egauthierLesters

Use ms code coverage and opencover will not be used.

At a later date I will update the opencover zip

tonyhallett avatar Feb 07 '25 20:02 tonyhallett

fixed - please update your version of FCC

tonyhallett avatar Feb 20 '25 11:02 tonyhallett