This security patch fixes a regression appeared in the previous version 1.7.25 that makes Dashboard UI available for remote requests in the default configuration, e.g. when no authentication filter specified. Please note that when custom authentication filter is defined as recommended in the documentation, everything works as expected, but upgrade is recommended in any case. Please read the GHSA-7rq6-7gv8-c37h security advisory for details.
- CVE ID
- CVE-2021-41238
- Affected Packages
- Hangfire.Core = 1.7.25 (only)
- Affected Platforms
- All, including .NET Core, .NET Framework, Mono of any version
Hangfire.Core
- Security – Fix “Dashboard UI accessible from outside by default since 1.7.25” regression.