Arbitrary Code Execution Affecting mongodb.driver package, versions [,2.19.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DOTNET-MONGODBDRIVER-3329316
  • published22 Feb 2023
  • disclosed22 Feb 2023
  • creditJonathan Birch of Microsoft Office Security

Introduced: 22 Feb 2023

CVE-2022-48282  (opens in a new tab)
CWE-502  (opens in a new tab)

How to fix?

Upgrade MongoDB.Driver to version 2.19.0 or higher.

Overview

MongoDB.Driver is an Official .NET driver for MongoDB.

Affected versions of this package are vulnerable to Arbitrary Code Execution via ObjectSerializer when deserializing a compromised object. Exploiting this vulnerability allows a privileged user to cause arbitrary code execution, which may cause further disruption to services.

Note: All of the following conditions must exist to be vulnerable:

  1. Application must be written in C#, take arbitrary data from users and serialize it using _t, without any validation.

  2. Application must be running on a Windows host using the full .NET Framework, not .NET Core.

  3. Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice).

  4. A malicious attacker must have unrestricted insert access to the target database to add a _t discriminator.

CVSS Scores

version 3.1