slow-cheetah icon indicating copy to clipboard operation
slow-cheetah copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Newtonsoft.Json vulnerability to DoS attacks in versions before 13.0.1

Open SiwinskiK opened this issue 2 years ago • 5 comments

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

SlowCheetah in version 4.0.8 references an older version of aforementioned library. This is a major issue rendering SlowCheetah unusable. Upgrade to version Newtonsoft.Json - 13.0.1

SiwinskiK avatar Jul 08 '22 10:07 SiwinskiK

In Microsoft.VisualStudio.SlowCheetah.VS, Newtonsoft.Json version is 13.0.1, so this issue can be close

soroshsabz avatar Jul 10 '22 07:07 soroshsabz

I didn't notice the code actually references version 13.0.1. I had the latest available in nuget repository version installed 4.0.8. Since the vulnerability has high severity I think the hotfix should also have high priority, since the package is unusable at this state. I'm not sure if the issue should be closed for now, as it should draw attention to package being unusable and there should be a hotfix release.

SiwinskiK avatar Jul 11 '22 08:07 SiwinskiK

Relates to https://github.com/microsoft/slow-cheetah/issues/249

zdfowler avatar Aug 19 '22 14:08 zdfowler

I am trying to determine whether or not this was fixed in the 4.0.30 package version. When I downloaded the package and extracted its contents however, it still includes v9.0.1 of Newtonsoft.Json.dll. It also still uses version 0.9.23 of Microsoft.VisualStudio.Jdt.dll (which is where the reference to Newtonsoft.Json comes from).

Instead of including these files directly into the SlowCheetah package, can we not simply include a reference to the Jdt v0.9.63 package as a dependency?

AndreasNVI avatar Apr 17 '23 16:04 AndreasNVI

Release https://github.com/microsoft/slow-cheetah/tree/v4.0.50 has been pushed and is available on NuGet for the Microsoft.VisualStudio.SlowCheetah package.

It includes commit https://github.com/microsoft/slow-cheetah/commit/7ae268bac0b361737af7a32eb7db84233d665de7 that updates Newtonsoft 13.0.1 and should resolve scanner issues.

Note to others, the real threat on the Newtonsoft issue could also be mitigated by applying the serializer settings default depth value as outlined at https://github.com/advisories/GHSA-5crp-9r3c-p9vr

This issue can be closed.

zdfowler avatar Jul 14 '23 19:07 zdfowler