A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka ‘Bond Denial of Service Vulnerability’. Handling of large container lengths that could cause an infinite loop when deserializing some payloads.
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-1469
- https://github.com/microsoft/bond/commit/3afea822c42dd0095fedb9e7db9ebb99165e7343
- https://github.com/microsoft/bond/commit/b0fd4a15a7cae946dd2855122559ca59cc34dbea
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1469
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1469
- https://www.nuget.org/packages/Bond.Core.CSharp/9.0.1
- https://github.com/advisories/GHSA-rqrc-8q8f-cp9c