Arbitrary Code Execution Affecting mongodb.driver package, versions [,2.19.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DOTNET-MONGODBDRIVER-3329316
- published 22 Feb 2023
- disclosed 22 Feb 2023
- credit Jonathan Birch of Microsoft Office Security
Introduced: 22 Feb 2023
CVE-2022-48282 Open this link in a new tabHow to fix?
Upgrade MongoDB.Driver
to version 2.19.0 or higher.
Overview
MongoDB.Driver is an Official .NET driver for MongoDB.
Affected versions of this package are vulnerable to Arbitrary Code Execution via ObjectSerializer
when deserializing a compromised object. Exploiting this vulnerability allows a privileged user to cause arbitrary code execution, which may cause further disruption to services.
Note: All of the following conditions must exist to be vulnerable:
Application must be written in C#, take arbitrary data from users and serialize it using
_t
, without any validation.Application must be running on a Windows host using the full .NET Framework, not .NET Core.
Application must have domain model class with a property/field explicitly of type
System.Object
or a collection of typeSystem.Object
(against MongoDB best practice).A malicious attacker must have unrestricted insert access to the target database to add a
_t
discriminator.