Dependency Check

[06luki06]

I am using the OWASP dependency check. It says that Newtonsoft.Json.Bson is vulnerable.

Description:

Json.NET BSON

Json.NET BSON adds support for reading and writing BSON
MD5: 61fc64ff51af4b43c7604ac5aa0b467c
SHA1: 2d6531ec2119ebfea3010c00d262a75f02624df3
SHA256:d36dc73cf754db8ab1b50eedad0c70363894159b6c4a8fd71dfd5eef0bf99743

CVE-2024-21907

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
CWE-755 Improper Handling of Exceptional Conditions

CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:
disclosure@vulncheck.com - EXPLOIT
disclosure@vulncheck.com - EXPLOIT
disclosure@vulncheck.com - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY
disclosure@vulncheck.com - EXPLOIT,THIRD_PARTY_ADVISORY
disclosure@vulncheck.com - PATCH
disclosure@vulncheck.com - PATCH
disclosure@vulncheck.com - THIRD_PARTY_ADVISORY
disclosure@vulncheck.com - THIRD_PARTY_ADVISORY
Vulnerable Software & Versions:

cpe:2.3:a:newtonsoft:json.net:::::::: versions up to (excluding) 13.0.1

[JamesNK]

Use 1.0.3 or greater

https://www.nuget.org/packages/Newtonsoft.Json.Bson/1.0.3#dependencies-body-tab

[06luki06]

@JamesNK I am already using 1.0.3 - there is no newer version available

[JamesNK]

1.0.3 depends on Newtonsoft.Json 13.0.1 which isn't impacted.

What are you asking for?