Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire.
References
Link | Resource |
---|---|
https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6 | Exploit Third Party Advisory |
https://www.nuget.org/packages/Wire/ | Third Party Advisory |
https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6 | Exploit Third Party Advisory |
https://www.nuget.org/packages/Wire/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:01
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6 - Exploit, Third Party Advisory | |
References | () https://www.nuget.org/packages/Wire/ - Third Party Advisory |
25 May 2021, 20:39
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6 - Exploit, Third Party Advisory | |
References | (MISC) https://www.nuget.org/packages/Wire/ - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 9.1 |
CPE | cpe:2.3:a:asynkron:wire:*:*:*:*:*:*:*:* |
Information
Published : 2021-05-11 17:15
Updated : 2024-11-21 06:01
NVD link : CVE-2021-29508
Mitre link : CVE-2021-29508
CVE.ORG link : CVE-2021-29508
JSON object : View
Products Affected
asynkron
- wire
CWE
CWE-502
Deserialization of Untrusted Data