Add CVE-2021-29508 for GHSA-hpw7-3vq3-mmv6

2025-07-29 05:56:59 +00:00 · 2021-05-11 09:32:23 -07:00 · 2021-05-11 09:32:23 -07:00 · 5e22f6898a
commit 5e22f6898a
parent 4de20d23ba
1 changed files with 76 additions and 6 deletions
--- a/2021/29xxx/CVE-2021-29508.json
+++ b/2021/29xxx/CVE-2021-29508.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29508",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Insecure deserialization in Wire"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "Wire",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "<= 1.0.0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "AsynkronIT"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.1,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "{\"CWE-502\":\"Deserialization of Untrusted Data\"}"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6"
+            },
+            {
+                "name": "https://www.nuget.org/packages/Wire/",
+                "refsource": "MISC",
+                "url": "https://www.nuget.org/packages/Wire/"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-hpw7-3vq3-mmv6",
+        "discovery": "UNKNOWN"
    }
 }