CVE-2022-48282
published 2023-02-21CVE-2022-48282: Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause…
PriorityP345high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.05%
60.0th percentile
Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
* Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
* Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
* Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | c_driver | < 2.19.0 | 2.19.0 |
| mongodb_inc | mongodb_net_c_driver | <= v2.18.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
osv·2023-02-21
CVE-2022-48282 [HIGH] MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
Under very specific circumstances, a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
GHSA
MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
ghsa·2023-02-21
CVE-2022-48282 [HIGH] CWE-502 MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data
Under very specific circumstances, a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-21
Published