Homepage
About Snyk

Arbitrary Code Execution Affecting mongodb.driver package, versions [,2.19.0)

0.0
medium

Snyk CVSS

    Attack Complexity High
    Privileges Required High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.1% (41st percentile)
Expand this section
NVD
7.2 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DOTNET-MONGODBDRIVER-3329316
  • published 22 Feb 2023
  • disclosed 22 Feb 2023
  • credit Jonathan Birch of Microsoft Office Security
Report a new vulnerability Found a mistake?

Introduced: 22 Feb 2023

CVE-2022-48282 Open this link in a new tab
CWE-502 Open this link in a new tab

How to fix?

Upgrade MongoDB.Driver to version 2.19.0 or higher.

Overview

MongoDB.Driver is an Official .NET driver for MongoDB.

Affected versions of this package are vulnerable to Arbitrary Code Execution via ObjectSerializer when deserializing a compromised object. Exploiting this vulnerability allows a privileged user to cause arbitrary code execution, which may cause further disruption to services.

Note: All of the following conditions must exist to be vulnerable:

  1. Application must be written in C#, take arbitrary data from users and serialize it using _t, without any validation.

  2. Application must be running on a Windows host using the full .NET Framework, not .NET Core.

  3. Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice).

  4. A malicious attacker must have unrestricted insert access to the target database to add a _t discriminator.