-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Newtonsoft.Json vulnerability to DoS attacks in versions before 13.0.1 #256
Comments
In Microsoft.VisualStudio.SlowCheetah.VS, Newtonsoft.Json version is 13.0.1, so this issue can be close |
I didn't notice the code actually references version 13.0.1. I had the latest available in nuget repository version installed 4.0.8. Since the vulnerability has high severity I think the hotfix should also have high priority, since the package is unusable at this state. I'm not sure if the issue should be closed for now, as it should draw attention to package being unusable and there should be a hotfix release. |
Relates to #249 |
I am trying to determine whether or not this was fixed in the 4.0.30 package version. When I downloaded the package and extracted its contents however, it still includes v9.0.1 of Newtonsoft.Json.dll. It also still uses version 0.9.23 of Microsoft.VisualStudio.Jdt.dll (which is where the reference to Newtonsoft.Json comes from). Instead of including these files directly into the SlowCheetah package, can we not simply include a reference to the Jdt v0.9.63 package as a dependency? |
Release https://github.com/microsoft/slow-cheetah/tree/v4.0.50 has been pushed and is available on NuGet for the Microsoft.VisualStudio.SlowCheetah package. It includes commit 7ae268b that updates Newtonsoft 13.0.1 and should resolve scanner issues. Note to others, the real threat on the Newtonsoft issue could also be mitigated by applying the serializer settings default depth value as outlined at GHSA-5crp-9r3c-p9vr This issue can be closed. |
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.
SlowCheetah in version 4.0.8 references an older version of aforementioned library. This is a major issue rendering SlowCheetah unusable. Upgrade to version Newtonsoft.Json - 13.0.1
The text was updated successfully, but these errors were encountered: