Описание
Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer)
Impact
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
Patches
CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer.
Workarounds
If you are using a version CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing this avoids the use of WCF and the NetDataContractSerializer, avoiding the vulnerability.
Ссылки
Пакеты
Csla
< 6.0.0
6.0.0
Связанные уязвимости
CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.