GHSA-3x49-g6rc-c284

Source

https://github.com/advisories/GHSA-3x49-g6rc-c284

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3x49-g6rc-c284/GHSA-3x49-g6rc-c284.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3x49-g6rc-c284

Aliases

CVE-2022-23535

Published

2023-02-24T16:22:50Z

Modified

2023-11-08T04:08:21.233602Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

LiteDB may deserialize bad JSON on object type using _type

Details

Impact

LiteDB use a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.

Patches

Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using Object type Next major version will contains a allow-list to select what king of Assembly can be loaded

Workarounds

Avoid users send to your app a JSON string to be direct insert/update into database
Avoid use classes with Object type - try use an interface when possible

If your app send a plain JSON string to be insert/update into database, prefer this:

// Bad
public class Customer {
    public int Id { get; set; }
    public string Name { get; set; }
    public Object AnyData { get; set; } // <= Avoid use `Object` base type
}

// Good
public class Customer {
    public int Id { get; set; }
    public string Name { get; set; }
    public IDictionary&lt;string, string> AnyData { get; set; } // Will accept only key/value strings
}

References

See this workaround fix on this commit:

https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f

Database specific

{
    "nvd_published_at": "2023-02-24T23:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed_at": "2023-02-24T16:22:50Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

NuGet / LiteDB

Package

Name: LiteDB; View open source insights on deps.dev
Purl: pkg:nuget/LiteDB

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.13

Affected versions

0.*

0.5.0

0.6.0

0.8.0

0.9.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.0.0-beta

2.0.0-rc

2.0.0-rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

3.*

3.0.0-beta

3.0.0-beta2

3.0.0-beta3

3.0.0

3.0.1

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

4.*

4.0.0-beta1

4.0.0-beta2

4.0.0

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

5.*

5.0.0-alpha

5.0.0-alpha2

5.0.0-beta

5.0.0-rc

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3x49-g6rc-c284/GHSA-3x49-g6rc-c284.json"