Hi,
We wanted to use ALM Toolkit for source control of PowerBI datasets. However, due to some vulnerabilities, we are unable to. I've included the text below. Anything I can do to help make this clearer or easier to solve, please let me know!
The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.
Components:
MSBuild.Extension.Pack 1.8.0
DotNetZip is vulnerable to arbitrary file write. By creating a zip archive with relative paths, an attacker can overwrite any files that the current process has access to. An attacker can use this to compromise a system by overwriting files such as the web.config which can affect either integrity and confidentiality, or at a bare minimum availability.
Hi, We wanted to use ALM Toolkit for source control of PowerBI datasets. However, due to some vulnerabilities, we are unable to. I've included the text below. Anything I can do to help make this clearer or easier to solve, please let me know!
Components: Newtonsoft.Json 10.0.3 Newtonsoft.Json 12.0.1 Newtonsoft.Json 12.0.3 Newtonsoft/Json.NET Newtonsoft.Json.dll 12.0.3.23909
The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.
Components: MSBuild.Extension.Pack 1.8.0
DotNetZip is vulnerable to arbitrary file write. By creating a zip archive with relative paths, an attacker can overwrite any files that the current process has access to. An attacker can use this to compromise a system by overwriting files such as the web.config which can affect either integrity and confidentiality, or at a bare minimum availability.