Dependency vulnerabilities #674
Description
Hi team,
Our Component Governance tool detects a medium severity vulnerability for com.microsoft.rest:client-runtime:1.7.4 because it uses com.google.guava:guava:24.1.1-jre.
Below is the description:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
We are requesting a release that will update the dependency version to latest to mitigate the issue. It is also a good idea to update all dependencies to their latest versions.
Note: I have created a similar issue before, but unfortunately the vulnerability is still present.