Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LiteDB contains Deserialization of Untrusted Data
Vulnerability Description
LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
可信数据的反序列化
Vulnerability Title
LiteDB 代码问题漏洞
Vulnerability Description
LiteDB是单个数据文件中的 .NET NoSQL 文档存储。 LiteDB 5.0.13之前版本存在安全漏洞,该漏洞源于在 JSON 文档中使用一个特殊的字段来从POCO 类中转换为不同的类型,导致反序列化。
CVSS Information
N/A
Vulnerability Type
N/A