Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
* Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
* Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
* Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: mongodb
Published: 2023-02-21T18:35:11.643Z
Updated: 2024-08-03T15:10:59.481Z
Reserved: 2023-01-23T15:11:45.562Z
Link: CVE-2022-48282
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-02-21T19:15:10.827
Modified: 2024-11-21T07:33:04.807
Link: CVE-2022-48282
Redhat
No data.