CVE-2024-21386 AspNetCore.HealthChecks.UI.Client/8.0.1 - upgrade Microsoft.Extensions.Diagnostics.HealthChecks

[rsrinivasanhome]

CVE-2024-21386 - AspNetCore.HealthChecks.UI.Client/8.0.1

https://nvd.nist.gov/vuln/detail/CVE-2024-21386

Upgrade nugget: Microsoft.Extensions.Diagnostics.HealthChecks/8.0.0 to https://www.nuget.org/packages/Microsoft.Extensions.Diagnostics.HealthChecks/8.0.6

[adamsitnik]

Hi @rsrinivasanhome

Why do you believe that updating Microsoft.Extensions.Diagnostics.HealthChecks would solve the referenced CVE?

According to my understanding the bug was in the Microsoft.AspNetCore.App so the users should just update their .NET SDK?

cc @rbhanda @blowdart @Alirexaa

[blowdart]

Updating the SDK or runtime is the correct way to patch nearly all .NET CVEs now.

.NET does't update dependencies like this to reduce churn and to ensure that packages are still usable by users who haven't patched their runtimes yet, so we won't take a PR like this in the .NET repos.

Whilst no doubt well intentioned I suggest closing the PR.