CVE-2022-23535 – litedb

Package

Manager: nuget
Name: litedb
Vulnerable Version: >=0 <5.0.13

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00471 pctl0.63657

Details

LiteDB may deserialize bad JSON on object type using _type ### Impact LiteDB use a special field in JSON documents to cast diferent types from `BsonDocument` do POCO classes. When instance of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model. ### Patches Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type Next major version will contains a allow-list to select what king of Assembly can be loaded ### Workarounds - Avoid users send to your app a JSON string to be direct insert/update into database - Avoid use classes with `Object` type - try use an interface when possible If your app send a plain JSON string to be insert/update into database, prefer this: ``` // Bad public class Customer { public int Id { get; set; } public string Name { get; set; } public Object AnyData { get; set; } // <= Avoid use `Object` base type } // Good public class Customer { public int Id { get; set; } public string Name { get; set; } public IDictionary<string, string> AnyData { get; set; } // Will accept only key/value strings } ``` ### References See this workaround fix on this commit: https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f

Metadata

Created: 2023-02-24T16:22:50Z
Modified: 2023-03-06T22:00:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3x49-g6rc-c284/GHSA-3x49-g6rc-c284.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-3x49-g6rc-c284
Finding: F096
Auto approve: 1