CVE-2022-23535 - Vulnerability Details

Vendors	Products
Litedb	Litedb

Source	ID	Title
EUVD	EUVD-2023-0618	LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.
Github GHSA	GHSA-3x49-g6rc-c284	LiteDB may deserialize bad JSON on object type using _type

Link	Providers
https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f
https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23535", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.793Z", "datePublished": "2023-02-24T22:40:06.444Z", "dateUpdated": "2025-03-10T21:06:16.611Z"}, "containers": {"cna": {"title": "LiteDB contains Deserialization of Untrusted Data", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"}, {"name": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f", "tags": ["x_refsource_MISC"], "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"}], "affected": [{"vendor": "mbdavid", "product": "LiteDB", "versions": [{"version": "< 5.0.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-24T22:40:06.444Z"}, "descriptions": [{"lang": "en", "value": "LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory."}], "source": {"advisory": "GHSA-3x49-g6rc-c284", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.390Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"}, {"name": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T20:58:20.417717Z", "id": "CVE-2022-23535", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:06:16.611Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litedb:litedb:*:*:*:*:*:.net:*:*", "matchCriteriaId": "4E7140DC-3C15-4592-94CE-0BD0D07A3106", "versionEndExcluding": "5.0.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory."}, {"lang": "es", "value": "LiteDB es una base de datos integrada .NET NoSQL peque\u00f1a, r\u00e1pida y liviana. Las versiones anteriores a la 5.0.13 est\u00e1n sujetas a la deserializaci\u00f3n de datos que no son de confianza. LiteDB utiliza un campo especial en documentos JSON para convertir diferentes tipos, desde `BsonDocument` a clases POCO. Cuando las instancias de un objeto no son las mismas que las de una clase, `BsonMapper` usa un campo especial `_type` con informaci\u00f3n de cadena con el nombre completo de la clase con el ensamblaje que se cargar\u00e1 y se ajustar\u00e1 a su modelo. Si su usuario final puede enviar a su aplicaci\u00f3n una cadena JSON simple, la deserializaci\u00f3n puede cargar un objeto inseguro para que quepa en su modelo. Este problema se solucion\u00f3 en la versi\u00f3n 5.0.13 con algunas correcciones b\u00e1sicas para evitarlo, pero no est\u00e1 100% garantizado cuando se usa el tipo \"Objeto\". La pr\u00f3xima versi\u00f3n principal contendr\u00e1 una lista de permitidos para seleccionar qu\u00e9 tipo de ensamblaje se puede cargar. Los workarounds se detallan en el aviso para proveedores."}], "id": "CVE-2022-23535", "lastModified": "2024-11-21T06:48:45.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-24T23:15:10.663", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object