-
Notifications
You must be signed in to change notification settings - Fork 503
Expand file tree
/
Copy pathbinary-formatter.yaml
More file actions
35 lines (35 loc) · 1.05 KB
/
binary-formatter.yaml
File metadata and controls
35 lines (35 loc) · 1.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
- id: insecure-binaryformatter-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- 'CWE-502: Deserialization of Untrusted Data'
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
- A08:2025 - Software or Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
category: security
technology:
- .net
confidence: HIGH
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
message: >-
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should
stop using BinaryFormatter
as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter
is insecure and can't be made secure
patterns:
- pattern-inside: |
using System.Runtime.Serialization.Formatters.Binary;
...
- pattern: |
new BinaryFormatter();