Impact
What kind of vulnerability is it? Who is impacted?
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin.
Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the SessionsPythonPlugin
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been fixed in Microsoft.SemanticKernel.Plugins.Core version 1.71.0. Users should upgrade to version 1.71.0 or higher.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
References
Are there any links users can visit to find out more?
doredry Finder
amiteliahu Finder
urioren Finder
Impact
What kind of vulnerability is it? Who is impacted?
An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the
SessionsPythonPlugin.Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the
SessionsPythonPluginPatches
Has the problem been patched? What versions should users upgrade to?
The problem has been fixed in Microsoft.SemanticKernel.Plugins.Core version 1.71.0. Users should upgrade to version 1.71.0 or higher.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can create a Function Invocation Filter which checks the arguments being passed to any calls to
DownloadFileAsyncorUploadFileAsyncand ensures the providedlocalFilePathis allow listed.References
Are there any links users can visit to find out more?