Uploaded image for project: 'C# Driver'
  1. C# Driver
  2. CSHARP-4475

Add an AllowedTypes filter to ObjectSerializer

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Unknown
    • Resolution: Done
    • 2.18.0
    • 2.19.0
    • Serialization
    • None
    • Minor Change

    Description

      CVE-2022-48282

      Title:

      Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

      CVE ID:

      CVE-2022-48282

      Description:
      Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
      CVSS Score:

      This issue's CVSS:3.1 severity is scored at 6.6 using the following scoring metrics:
      CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

      All Affected Product Versions:

      All MongoDB .NET/C# Driver versions prior to and including v2.18.0

      CWE:

      CWE - 502 : Deserialization of Untrusted Data

      Is a Fixed Version Available?:

      MongoDB .NET/C# Driver v2.19.0

      How was the Issue Found? (Internally/Externally):

      Externally

      Internal Jira Reference:

      CSHARP-4475

      Required Configuration for Exposure (Optional):
      Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
      Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
      Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
      Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.
      Credits  Jonathan Birch of Microsoft Office Security

      Attachments

        Issue Links

          Activity

            People

              robert@mongodb.com Robert Stam
              robert@mongodb.com Robert Stam
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: