Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhwdzctM3ZxMy1tbXY2
Insecure deserialization in Wire
Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end.
This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019
This also applies to the fork of Wire, AkkaDotNet/Hyperion.
Permalink: https://github.com/advisories/GHSA-hpw7-3vq3-mmv6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhwdzctM3ZxMy1tbXY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-hpw7-3vq3-mmv6, CVE-2021-29508
References:
- https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6
- https://nvd.nist.gov/vuln/detail/CVE-2021-29508
- https://www.nuget.org/packages/Wire/
- https://github.com/advisories/GHSA-hpw7-3vq3-mmv6
Blast Radius: 1.0
Affected Packages
nuget:Wire
Dependent packages: 0Dependent repositories: 0
Downloads: 985,537 total
Affected Version Ranges: <= 1.0.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 1.0.0