Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
* Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
* Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
* Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable
References
Link | Resource |
---|---|
https://github.com/mongodb/mongo-csharp-driver/releases/tag/v2.19.0 | Release Notes |
https://jira.mongodb.org/browse/CSHARP-4475 | Patch Vendor Advisory |
Configurations
History
21 Jun 2023, 13:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable |
02 Mar 2023, 22:50
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-502 | |
CPE | cpe:2.3:a:mongodb:c\#_driver:*:*:*:*:*:mongodb:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
First Time |
Mongodb
Mongodb c\# Driver |
|
References | (MISC) https://jira.mongodb.org/browse/CSHARP-4475 - Patch, Vendor Advisory | |
References | (MISC) https://github.com/mongodb/mongo-csharp-driver/releases/tag/v2.19.0 - Release Notes |
22 Feb 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 Feb 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-21 19:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-48282
Mitre link : CVE-2022-48282
CVE.ORG link : CVE-2022-48282
JSON object : View
Products Affected
mongodb
- c\#_driver
CWE
CWE-502
Deserialization of Untrusted Data