#VU96575 Improper handling of exceptional conditions in Newtonsoft.Json - CVE-2024-21907

Cybersecurity Help s.r.o.

Published: 2024-08-27

Vulnerability identifier: #VU96575

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21907

CWE-ID: CWE-755

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Newtonsoft.Json
Web applications / JS libraries

Vendor: JamesNK

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors within the JsonConvert.DeserializeObject method. A remote attacker can send specially crafted input and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Newtonsoft.Json: 1.3.1 - 12.0.3

External links
https://github.com/JamesNK/Newtonsoft.Json/issues/2457
https://github.com/JamesNK/Newtonsoft.Json/pull/2462
https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66
https://alephsecurity.com/2018/10/22/StackOverflowException/
https://alephsecurity.com/vulns/aleph-2018004
https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678
https://github.com/advisories/GHSA-5crp-9r3c-p9vr
https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell Live Optics Linux Collector update for Newtonsoft.Json

Improper handling of exceptional conditions in IBM Robotic Process Automation

Denial of service in Newtonsoft.Json