CVE-2021-29508

Insecure deserialization in Wire

CVSS 9.1 CRITICALEPSS 1.6%CWE-502

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.1EPSS 1.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 may 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Productos afectados

AsynkronIT · Wire

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6 https://www.nuget.org/packages/Wire/