GHSA-3x49-g6rc-c284
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x49-g6rc-c284
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3x49-g6rc-c284/GHSA-3x49-g6rc-c284.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x49-g6rc-c284
- Aliases
- Published
- 2023-02-24T16:22:50Z
- Modified
- 2023-11-08T04:08:21.233602Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- LiteDB may deserialize bad JSON on object type using _type
- Details
-
Impact
LiteDB use a special field in JSON documents to cast diferent types from
BsonDocumentdo POCO classes. When instance of an object are not the same of class,BsonMapperuse a special field_typestring info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.Patches
Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using
Objecttype Next major version will contains a allow-list to select what king of Assembly can be loadedWorkarounds
- Avoid users send to your app a JSON string to be direct insert/update into database
- Avoid use classes with
Objecttype - try use an interface when possible
If your app send a plain JSON string to be insert/update into database, prefer this:
// Bad public class Customer { public int Id { get; set; } public string Name { get; set; } public Object AnyData { get; set; } // <= Avoid use `Object` base type } // Good public class Customer { public int Id { get; set; } public string Name { get; set; } public IDictionary<string, string> AnyData { get; set; } // Will accept only key/value strings }References
See this workaround fix on this commit:
https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f
- Database specific
{ "nvd_published_at": "2023-02-24T23:15:00Z", "github_reviewed_at": "2023-02-24T16:22:50Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-502" ] }- References
-
- https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284
- https://nvd.nist.gov/vuln/detail/CVE-2022-23535
- https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f
- https://github.com/mbdavid/LiteDB/commit/d72c6774e6a13de2cfcd7d477d3575efeb75c8f2
- https://github.com/mbdavid/LiteDB
- https://github.com/mbdavid/LiteDB/releases/tag/v5.0.13
Affected packages
NuGet / LiteDB
Package
- Name
- LiteDB
- View open source insights on deps.dev
- Purl
- pkg:nuget/LiteDB
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.13