DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Devexpress | Devexpress | * | 21.2.12 (excluding) |
| Devexpress | Devexpress | 22.1.8 (including) | 22.1.8 (including) |
| Devexpress | Devexpress | 22.2.4 (including) | 22.2.4 (including) |
| Devexpress | Devexpress | 22.2.5 (including) | 22.2.5 (including) |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- https://code-white.com/public-vulnerability-list/
- https://supportcenter.devexpress.com/ticket/details/t1141947/data-source-protection-bypass-during-xml-deserialization
- https://supportcenter.devexpress.com/ticket/details/t1159142/web-reporting-data-source-protection-bypassed-during-xml-deserialization
- https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023