CVE-2022-0749: Deserialization of Untrusted Data

March 18, 2022 (updated September 7, 2022)

This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.

References

github.com/SinGooCMS/SinGooCMSUtility/blob/master/SinGooCMS.Utility/Net/SocketClient.cs
github.com/SinGooCMS/SinGooCMSUtility/issues/1
github.com/advisories/GHSA-29rv-fqx2-4c9f
nvd.nist.gov/vuln/detail/CVE-2022-0749
snyk.io/vuln/SNYK-DOTNET-SINGOOCMSUTILITY-2312979

Detect and mitigate CVE-2022-0749 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →