SpecFlow.Plus.LivingDoc.CLI-3.9.57 (current latest) has a dependency on an older version of newtonsoft.Json 3.9.57.nupkgtools/netcoreapp3.1/any/Newtonsoft.Json.dll[8.0.4-beta1, 13.0.1-beta2)
Which has a security vulnerability which is being identified by Sonatype ( Sonatype is a tool used by my company which prevents the use of nuget packages which have security vulnerabilities)
It appears that newtonsoft has addressed this concern in versions of newtonsoft.Json > 13 which was released almost a year ago.
Below this line is details from so I want to type explaining the reason for not allowing packages which use this older version of newtonsoft from being used
The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.
The application is vulnerable by using this component.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Sonatype CVSS 3:7.5
Please sign in to leave a comment.