GHSA-5crp-9r3c-p9vr

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5crp-9r3c-p9vr/GHSA-5crp-9r3c-p9vr.json
Published
2022-06-22T15:08:47Z
Modified
2022-06-22T15:33:27.227789Z
Details

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

References

Affected packages

NuGet / Newtonsoft.Json

Newtonsoft.Json

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
13.0.1

Affected versions

10.*

10.0.1
10.0.1-beta1
10.0.2
10.0.3

11.*

11.0.1
11.0.1-beta1
11.0.1-beta2
11.0.1-beta3
11.0.2

12.*

12.0.1
12.0.1-beta1
12.0.1-beta2
12.0.2
12.0.2-beta1
12.0.2-beta2
12.0.2-beta3
12.0.3
12.0.3-beta1
12.0.3-beta2

13.*

13.0.1-beta1
13.0.1-beta2

3.*

3.5.8

4.*

4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.5.1
4.5.10
4.5.11
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9

5.*

5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8

6.*

6.0.1
6.0.1-beta1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8

7.*

7.0.1
7.0.1-beta1
7.0.1-beta2
7.0.1-beta3

8.*

8.0.1
8.0.1-beta1
8.0.1-beta2
8.0.1-beta3
8.0.1-beta4
8.0.2
8.0.3
8.0.4-beta1

9.*

9.0.1
9.0.1-beta1
9.0.2-beta1
9.0.2-beta2