Newtonsoft.Json vulnerability to DoS attacks in versions before 13.0.1 #1361
Labels
Comments
|
@SiwinskiK coverlet packages should only be referenced by unit test projects, which generally ought not to be run in IIS, at least not in production. Given that, is this vulnerability still relevant for coverlet? I think, but am not sure, that the older version of Newtonsoft.Json is referenced because of compatiblity with .NET Framework. |
|
@petli is true, anyway we're running inside CI so I think that the bump will be good, I don't know but I think that we'll need to bump also the object model used by collectors because test platform already did the bump and so we could break something but it's ok. |
MarcoRossignoli
added
Known Issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications. The vulnerability is severe and renders coverlet unusable.
Coverlet in version 2.0.9 references an older version of aforementioned library. Upgrade to version Newtonsoft.Json - 13.0.1
The text was updated successfully, but these errors were encountered: