CVE-2021-29508 – wire

Package

Manager: nuget
Name: wire
Vulnerable Version: >=0 <=1.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

EPSS: 0.00451 pctl0.62805

Details

Insecure deserialization in Wire Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. **This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019** This also applies to the fork of Wire, AkkaDotNet/Hyperion.

Metadata

Created: 2021-05-19T23:02:38Z
Modified: 2021-05-19T19:38:22Z
Source: MANUAL
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-hpw7-3vq3-mmv6
Finding: F096
Auto approve: 1