Security Advisory Id GHSA-6c8g-7p36-r338
This advisory discloses a security vulnerability Patches for components to update their dependencies to avoid references that have the GHSA-6c8g-7p36-r338 security advisory: SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant).
Patch releases
| Component | Version | Where to get it |
|---|---|---|
| NServiceBus.Storage.MongoDB | 3.0.7 | NuGet |
| NServiceBus.Storage.MongoDB.TransactionalSession | 3.0.7 | NuGet |
| NServiceBus.Storage.MongoDB | 4.2.2 | NuGet |
| NServiceBus.Storage.MongoDB.TransactionalSession | 4.2.2 | NuGet |
| NServiceBus.Storage.MongoDB | 5.0.3 | NuGet |
| NServiceBus.Storage.MongoDB.TransactionalSession | 5.0.3 | NuGet |
| NServiceBus.Storage.MongoDB | 6.0.4 | NuGet |
| NServiceBus.Storage.MongoDB.TransactionalSession | 6.0.4 | NuGet |
| NServiceBus.Storage.MongoDB | 7.0.3 | NuGet |
| NServiceBus.Storage.MongoDB.TransactionalSession | 7.0.3 | NuGet |
How to know if you are affected
You are affected if you are using previous versions of any of these components, but this doesn't necessarily mean you are vulnerable.
Symptoms
For NuGet packages your projects have the setting NuGetAuditMode set to all and see transitive dependency warnings at build time that mention Particular packages.
Other components of the platform will not have any symptoms.
When to upgrade
You should upgrade immediately if you are affected. Otherwise, you should upgrade during your next maintenance window.