Impact
LiteDB uses a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to be loaded and fit in your model.
If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.
ChocolateyGUI v1.1.1 and older may be affected by this vulnerability and should be updated.
Patches
ChocolateyGUI v1.1.2 bumps the LiteDB dependency to 5.0.15, removing this issue.
Workarounds
- Update to at least v1.1.2 of ChocolateyGUI
References
Impact
LiteDB uses a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to be loaded and fit in your model.
If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.
ChocolateyGUI v1.1.1 and older may be affected by this vulnerability and should be updated.
Patches
ChocolateyGUI v1.1.2 bumps the LiteDB dependency to 5.0.15, removing this issue.
Workarounds
References