-
Type: Improvement
-
Resolution: Done
-
Priority: Unknown
-
Affects Version/s: 2.18.0
-
Component/s: Serialization
-
None
-
Minor Change
Title:
Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution
CVE ID:
CVE-2022-48282
Description:
Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
CVSS Score:
This issue's CVSS:3.1 severity is scored at 6.6 using the following scoring metrics:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
All Affected Product Versions:
All MongoDB .NET/C# Driver versions prior to and including v2.18.0
CWE:
CWE - 502 : Deserialization of Untrusted Data
Is a Fixed Version Available?:
MongoDB .NET/C# Driver v2.19.0
How was the Issue Found? (Internally/Externally):
Externally
Internal Jira Reference:
Required Configuration for Exposure (Optional):
Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.
Credits Jonathan Birch of Microsoft Office Security
- related to
-
CSHARP-4534 Consider adding anonymous types to DefaultAllowedTypes
- Closed
-
CSHARP-4495 Add conventions and attributes to configure ObjectSerializer AllowedTypes
- Investigating