FubarCoder.RestSharp.Portable is deprecated and hasn't been updated since 2016

[philipborg]

The dependency was last updated 2016 and officially deprecated 2018. Especially as it's a networking library this is unacceptable from a security perspective. It also causes compatibility issues with modern code-bases.

https://github.com/FubarDevelopment/restsharp.portable

[gabriel-ecegi]

Yes, this library contains High Severity vulnerabilities

Issues with no direct upgrade or patch:
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMIOCOMPRESSIONZIPFILE-174570] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] and 1 other path(s)
This issue was fixed in versions: 4.3.0
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045] in [email protected]
introduced by [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Improper Certificate Validation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046] in [email protected]
introduced by [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Privilege Escalation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047] in [email protected]
introduced by [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Authentication Bypass [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048] in [email protected]
introduced by [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 4.1.2, 4.3.2
✗ Information Exposure [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439] in [email protected]
introduced by [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 2.0.20710, 4.0.1-beta-23225, 4.1.4, 4.3.4
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] and 19 other path(s)
This issue was fixed in versions: 4.3.1

[anthonyvia]

I am also running into incompatibility issues with modern code bases because of this dependency. FWIW the newest version of swagger codegen uses a different HTTP library. However, I couldn't get this generated code to compile. We are having to write our own implementation the Brevo/Sendinblue API due to this.

[maftieu]

Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/

[philipborg]

Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/

Nope, it still depends on FubarCoder.RestSharp.Portable.

[Liandrel]

Brevo respondend to my ticket in helpdesk that they tried to update sdk but encountered numerous errors. Therefore, they decided to maintain the current version for the time being. So if You wanna use it I think that you need to write your own sdk for security reasons