CVE-2022-23535 (GCVE-0-2022-23535)

Vulnerability from cvelistv5 – Published: 2023-02-24 22:40 – Updated: 2025-03-10 21:06
VLAI
Title
LiteDB contains Deserialization of Untrusted Data
Summary
LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.
Severity
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
mbdavid LiteDB Affected: < 5.0.13
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.390Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"
          },
          {
            "name": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:58:20.417717Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:06:16.611Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LiteDB",
          "vendor": "mbdavid",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe  object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-24T22:40:06.444Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284"
        },
        {
          "name": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f"
        }
      ],
      "source": {
        "advisory": "GHSA-3x49-g6rc-c284",
        "discovery": "UNKNOWN"
      },
      "title": "LiteDB contains Deserialization of Untrusted Data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23535",
    "datePublished": "2023-02-24T22:40:06.444Z",
    "dateReserved": "2022-01-19T21:23:53.793Z",
    "dateUpdated": "2025-03-10T21:06:16.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-23535",
      "date": "2026-06-07",
      "epss": "0.01166",
      "percentile": "0.78995"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:litedb:litedb:*:*:*:*:*:.net:*:*\", \"versionEndExcluding\": \"5.0.13\", \"matchCriteriaId\": \"4E7140DC-3C15-4592-94CE-0BD0D07A3106\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe  object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.\"}, {\"lang\": \"es\", \"value\": \"LiteDB es una base de datos integrada .NET NoSQL peque\\u00f1a, r\\u00e1pida y liviana. Las versiones anteriores a la 5.0.13 est\\u00e1n sujetas a la deserializaci\\u00f3n de datos que no son de confianza. LiteDB utiliza un campo especial en documentos JSON para convertir diferentes tipos, desde `BsonDocument` a clases POCO. Cuando las instancias de un objeto no son las mismas que las de una clase, `BsonMapper` usa un campo especial `_type` con informaci\\u00f3n de cadena con el nombre completo de la clase con el ensamblaje que se cargar\\u00e1 y se ajustar\\u00e1 a su modelo. Si su usuario final puede enviar a su aplicaci\\u00f3n una cadena JSON simple, la deserializaci\\u00f3n puede cargar un objeto inseguro para que quepa en su modelo. Este problema se solucion\\u00f3 en la versi\\u00f3n 5.0.13 con algunas correcciones b\\u00e1sicas para evitarlo, pero no est\\u00e1 100% garantizado cuando se usa el tipo \\\"Objeto\\\". La pr\\u00f3xima versi\\u00f3n principal contendr\\u00e1 una lista de permitidos para seleccionar qu\\u00e9 tipo de ensamblaje se puede cargar. Los workarounds se detallan en el aviso para proveedores.\"}]",
      "id": "CVE-2022-23535",
      "lastModified": "2024-11-21T06:48:45.737",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-02-24T23:15:10.663",
      "references": "[{\"url\": \"https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23535\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-24T23:15:10.663\",\"lastModified\":\"2024-11-21T06:48:45.737\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe  object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.\"},{\"lang\":\"es\",\"value\":\"LiteDB es una base de datos integrada .NET NoSQL peque\u00f1a, r\u00e1pida y liviana. Las versiones anteriores a la 5.0.13 est\u00e1n sujetas a la deserializaci\u00f3n de datos que no son de confianza. LiteDB utiliza un campo especial en documentos JSON para convertir diferentes tipos, desde `BsonDocument` a clases POCO. Cuando las instancias de un objeto no son las mismas que las de una clase, `BsonMapper` usa un campo especial `_type` con informaci\u00f3n de cadena con el nombre completo de la clase con el ensamblaje que se cargar\u00e1 y se ajustar\u00e1 a su modelo. Si su usuario final puede enviar a su aplicaci\u00f3n una cadena JSON simple, la deserializaci\u00f3n puede cargar un objeto inseguro para que quepa en su modelo. Este problema se solucion\u00f3 en la versi\u00f3n 5.0.13 con algunas correcciones b\u00e1sicas para evitarlo, pero no est\u00e1 100% garantizado cuando se usa el tipo \\\"Objeto\\\". La pr\u00f3xima versi\u00f3n principal contendr\u00e1 una lista de permitidos para seleccionar qu\u00e9 tipo de ensamblaje se puede cargar. Los workarounds se detallan en el aviso para proveedores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:litedb:litedb:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"5.0.13\",\"matchCriteriaId\":\"4E7140DC-3C15-4592-94CE-0BD0D07A3106\"}]}]}],\"references\":[{\"url\":\"https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.