PT-2020-16044 · Microsoft+1 · Asp.Net Binaryformatter+1
Published
2020-09-11
·
Updated
2022-06-30
·
CVE-2020-25258
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Hyland OnBase versions 16.0.2.83 and below
Hyland OnBase versions 17.0.2.109 and below
Hyland OnBase versions 18.0.0.37 and below
Hyland OnBase versions 19.8.16.1000 and below
Hyland OnBase versions 20.3.10.1000 and below
Description
The issue allows attackers to transmit and execute bytecode in SOAP messages due to the use of ASP.NET BinaryFormatter.Deserialize. This enables attackers to execute malicious code.
Recommendations
For Hyland OnBase versions 16.0.2.83 and below, consider disabling the use of ASP.NET BinaryFormatter.Deserialize until a patch is available.
For Hyland OnBase versions 17.0.2.109 and below, consider disabling the use of ASP.NET BinaryFormatter.Deserialize until a patch is available.
For Hyland OnBase versions 18.0.0.37 and below, consider disabling the use of ASP.NET BinaryFormatter.Deserialize until a patch is available.
For Hyland OnBase versions 19.8.16.1000 and below, consider disabling the use of ASP.NET BinaryFormatter.Deserialize until a patch is available.
For Hyland OnBase versions 20.3.10.1000 and below, consider disabling the use of ASP.NET BinaryFormatter.Deserialize until a patch is available.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asp.Net Binaryformatter
Hyland Onbase