Does CVE-2018-8292 apply to azure function app v1 at .net framework 4.8?

[vincentlam8]

I did a vulnerability scan, and it is complaining about system.net.http. Does CVE-2018-8292 vulnerability actually apply to an azure function app v1? my understanding is that azure function app v1 with .net framework 4.8 is not a .net core app, hence it does not apply. Is my understanding correct? Many Thanks for the help!

[teo-tsirpanis]

I don't know but if I were you I would have removed the System.Net.Http NuGet package and just use the built-in edition of HttpClient. The latest version is not vulnerable, but is pretty old; it was released three and a half years ago.

[vincentlam8]

Thanks Theo. I have the System.Net.Http NuGet package, but it is still complaining via the microsoft.net.sdk.functions.1.0.38.nupkg NuGet package. It is weird, because when I expand microsoft.net.sdk.functions.1.0.38.nupkg, it is already has the latest System.Net.Http 4.3.4. Another thing is, I tried to install the latest System.Net.Http 4.3.4 and it didn't do anything.

[teo-tsirpanis]

Perhaps @ericstj knows better about NuGet packages and can answer.