November 2, 2020

GHSL-2020-141: Arbitrary code execution in DatabaseSchemaReader - CVE-2020-26207

Jaroslav Lobačevski

Summary

DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted .dbschema file.

Product

DatabaseSchemaReader

Tested Version

Master branch.

Details

Issue: DatabaseSchemaReader is using an unsafe serializer to open .dbschema files.

The user should be careful not to open .dbschema files from untrusted sources. See the Proof of Concept below.

Impact

While the file is opened as data, any arbitrary code defined in the file is executed without user consent.

Remediation

Use a safer serializer, XmlSerializer for example, that performs expected type checks. See Alvaro and Oleksandr slides for other safer serializer options.

CVE

  • CVE-2020-26207

Coordinated Disclosure Timeline

  • 31/07/2020: Attempt to contact Vendor
  • 29/10/2020: Asked publicly for the security contact
  • 29/10/2020: Vendor acknowledges
  • 29/10/2020: The issue is remediated in v2.7.4.3
  • 30/10/2020: CVE-2020-26207 got assigned
  • 31/10/2020: Advisory published

Resources

PoC

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-141 in any communication regarding this issue.