Investigate vulnerability: Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability

Issue created from vulnerability 1142

Description:

Microsoft is releasing this security advisory to provide information about a vulnerability in System.Text.Json 6.0.x and 8.0.x. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

In System.Text.Json 6.0.x and 8.0.x, applications which deserialize input to a model with an [ExtensionData] property can be vulnerable to an algorithmic complexity attack resulting in Denial of Service.

• Severity: high
• Location: packages.lock.json

Solution:

Upgrade to versions 6.0.10, 8.0.5 or above.

Identifiers:

• Gemnasium-28f33d6e-aaaa-4020-bcdc-9ca3fbac274d
• CVE-2024-43485
• GHSA-8g4q-xg66-9fp4
• CWE-407
• CWE-937
• CWE-1035

Links:

• https://github.com/advisories/GHSA-8g4q-xg66-9fp4
• https://github.com/dotnet/announcements/issues/329
• https://github.com/dotnet/runtime
• https://github.com/dotnet/runtime/issues/108678
• https://github.com/dotnet/runtime/security/advisories/GHSA-8g4q-xg66-9fp4
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485
• https://nvd.nist.gov/vuln/detail/CVE-2024-43485

Scanner:

• Name: GitLab SBoM Vulnerability Scanner