microsoft / Analysis-Services

Git repo for Analysis Services samples and community projects
MIT License
598 stars 415 forks source link

Sonatype issues related to ALM Toolkit #123

Open aaronsmith1234 opened 2 years ago

aaronsmith1234 commented 2 years ago

Hi, We wanted to use ALM Toolkit for source control of PowerBI datasets. However, due to some vulnerabilities, we are unable to. I've included the text below. Anything I can do to help make this clearer or easier to solve, please let me know!

Components: Newtonsoft.Json 10.0.3 Newtonsoft.Json 12.0.1 Newtonsoft.Json 12.0.3 Newtonsoft/Json.NET Newtonsoft.Json.dll 12.0.3.23909

The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.

Components: MSBuild.Extension.Pack 1.8.0

DotNetZip is vulnerable to arbitrary file write. By creating a zip archive with relative paths, an attacker can overwrite any files that the current process has access to. An attacker can use this to compromise a system by overwriting files such as the web.config which can affect either integrity and confidentiality, or at a bare minimum availability.

christianwade commented 2 months ago

Hi Aaron, sorry for the delayed response. The next release will have updated client libs, so please retry if you're still blocked.