9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
56.4%
LiteDB use a special field in JSON documents to cast diferent types from BsonDocument
do POCO classes. When instance of an object are not the same of class, BsonMapper
use a special field _type
string info with full class name with assembly to be loaded and fit in your model.
If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.
Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using Object
type
Next major version will contains a allow-list to select what king of Assembly can be loaded
Object
type - try use an interface when possibleIf your app send a plain JSON string to be insert/update into database, prefer this:
// Bad
public class Customer {
public int Id { get; set; }
public string Name { get; set; }
public Object AnyData { get; set; } // <= Avoid use `Object` base type
}
// Good
public class Customer {
public int Id { get; set; }
public string Name { get; set; }
public IDictionary<string, string> AnyData { get; set; } // Will accept only key/value strings
}
See this workaround fix on this commit:
https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f
github.com/advisories/GHSA-3x49-g6rc-c284
github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f
github.com/mbdavid/LiteDB/commit/d72c6774e6a13de2cfcd7d477d3575efeb75c8f2
github.com/mbdavid/LiteDB/releases/tag/v5.0.13
github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284
nvd.nist.gov/vuln/detail/CVE-2022-23535