CVE Vulnerabilities

CVE-2022-48282

Deserialization of Untrusted Data

Published: Feb 21, 2023 | Modified: Nov 21, 2024
CVSS 3.x
7.2
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0

Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND

  • Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
  • Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
  • Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.Following configuration must be true for the vulnerability to be applicable

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name Vendor Start Version End Version
C#_driver Mongodb * 2.19.0 (excluding)

Potential Mitigations

  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

References