Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newtonsoft.Json vulnerability to DoS attacks in versions before 13.0.1 #256

Open
SiwinskiK opened this issue Jul 8, 2022 · 5 comments
Open

Newtonsoft.Json vulnerability to DoS attacks in versions before 13.0.1 #256

SiwinskiK opened this issue Jul 8, 2022 · 5 comments

Comments

@SiwinskiK
Copy link

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

SlowCheetah in version 4.0.8 references an older version of aforementioned library. This is a major issue rendering SlowCheetah unusable. Upgrade to version Newtonsoft.Json - 13.0.1
@soroshsabz
Copy link

In Microsoft.VisualStudio.SlowCheetah.VS, Newtonsoft.Json version is 13.0.1, so this issue can be close

@SiwinskiK
Copy link
Author

SiwinskiK commented Jul 11, 2022
edited
Loading

I didn't notice the code actually references version 13.0.1. I had the latest available in nuget repository version installed 4.0.8. Since the vulnerability has high severity I think the hotfix should also have high priority, since the package is unusable at this state. I'm not sure if the issue should be closed for now, as it should draw attention to package being unusable and there should be a hotfix release.

@SiwinskiK SiwinskiK reopened this Jul 11, 2022
@zdfowler
Copy link

Relates to #249

@AndreasNVI
Copy link

I am trying to determine whether or not this was fixed in the 4.0.30 package version. When I downloaded the package and extracted its contents however, it still includes v9.0.1 of Newtonsoft.Json.dll. It also still uses version 0.9.23 of Microsoft.VisualStudio.Jdt.dll (which is where the reference to Newtonsoft.Json comes from).

Instead of including these files directly into the SlowCheetah package, can we not simply include a reference to the Jdt v0.9.63 package as a dependency?

@zdfowler
Copy link

zdfowler commented Jul 14, 2023
edited
Loading

Release https://github.com/microsoft/slow-cheetah/tree/v4.0.50 has been pushed and is available on NuGet for the Microsoft.VisualStudio.SlowCheetah package.

It includes commit 7ae268b that updates Newtonsoft 13.0.1 and should resolve scanner issues.

Note to others, the real threat on the Newtonsoft issue could also be mitigated by applying the serializer settings default depth value as outlined at GHSA-5crp-9r3c-p9vr

This issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zdfowler @soroshsabz @SiwinskiK @AndreasNVI