Morning folks! I'm just running through some package updates on a Umbraco 13 site and have noticed that Umbraco.Cms.Infrastructure 13.6.0 is flagged as vulnerable due to a security advisory, and we've not yet got a 13.X fix available. Based on the Security advisory (https://github.com/advisories/GHSA-572q-86rr-5vgq), I'm wondering if it's actually supposed to be marked as only affecting versions 14.0.0 onwards? And if this is indeed a problem on 13, is anyone working on a fix? Hoping someone might have some insight into this 🙂

I'll get some more comments on this, but the NCC group seems to have mischaracterized a community member's response as an officical response from us and didn't follow the normal procedure of disclosure. Not saying it's not an issue, just need to figure out what we do about it. It is unlikely that this is reproducible on v13, as the report mentions the management API which does not exist in v13. I'll get back to this.

Amazing, thank you so much for the quick response! I had a feeling that there was some mislabelling/mischaracterisation somewhere.

No worries, I see @User has also flagged this with us now.

I can see that the advisory has been withdrawn as of the 13th, great stuff. 🙏

LOL, I reported pretty much the same issue in like v10/11.