CVE-2022-48282 — Deserialization of Untrusted Data in Mongodb C Driver

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

7.2HIGHNVD

CNA6.6

EPSS

1.3%

top 19.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb C Driver Mongodb INC Mongodb NET C Driver

Timeline

PublishedFeb 21

Description

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDmongodb/c_driver< 2.19.0

▶CVEListV5mongodb_inc/mongodb_net_c_driverv2.18.0

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

CVEList

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution↗2023-02-21

▶

OSV

MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data↗2023-02-21

▶

GHSA

MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data↗2023-02-21

▶