DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted
Issue: DatabaseSchemaReader is using an unsafe serializer to open
The user should be careful not to open
.dbschema files from untrusted sources. See the Proof of Concept below.
While the file is opened as data, any arbitrary code defined in the file is executed without user consent.
Use a safer serializer,
XmlSerializer for example, that performs expected type checks. See Alvaro and Oleksandr slides for other safer serializer options.
Coordinated Disclosure Timeline
- 31/07/2020: Attempt to contact Vendor
- 29/10/2020: Asked publicly for the security contact
- 29/10/2020: Vendor acknowledges
- 29/10/2020: The issue is remediated in v18.104.22.168
- 30/10/2020: CVE-2020-26207 got assigned
- 31/10/2020: Advisory published
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2020-141 in any communication regarding this issue.