Skip to main content

Updating Newtonsoft.Json in SpecFlow.Plus.LivingDoc.CLI

Hammer, Luke (Contractor)

 

SpecFlow.Plus.LivingDoc.CLI-3.9.57 (current latest)    has a dependency on an older version of newtonsoft.Json 3.9.57.nupkgtools/netcoreapp3.1/any/Newtonsoft.Json.dll[8.0.4-beta1, 13.0.1-beta2)

 

 Which has a security vulnerability which is being identified by Sonatype ( Sonatype is a tool used by my company which prevents the use of nuget packages which have security vulnerabilities)

It appears that newtonsoft has addressed this concern in versions of newtonsoft.Json > 13 which was released almost a year ago.

 

 

Below this line is details from so I want to type explaining the reason for not allowing packages which use this older version of newtonsoft from being used


 sonatype-2021-0713

 

Explanation

The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.

 

Detection

The application is vulnerable by using this component.

 

Recommendation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

 

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

 

Root Cause

SpecFlow.Plus.LivingDoc.CLI-3.9.57.nupkgtools/netcoreapp3.1/any/Newtonsoft.Json.dll[8.0.4-beta1, 13.0.1-beta2)

SpecFlow.Plus.LivingDoc.CLI-3.9.57.nupkgtools/net5.0/any/Newtonsoft.Json.dll[8.0.4-beta1, 13.0.1-beta2)

Advisories

Project:https://github.com/JamesNK/Newtonsoft.Json/issues/2535

Third Party:https://alephsecurity.com/vulns/aleph-2018004

CVSS Details

Sonatype CVSS 3:7.5

CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk