[CSHARP-4475] Add an AllowedTypes filter to ObjectSerializer Created: 05/Jan/23  Updated: 24/Jan/24  Resolved: 26/Jan/23

Status: Closed
Project: C# Driver
Component/s: Serialization
Affects Version/s: 2.18.0
Fix Version/s: 2.19.0

Type: Improvement Priority: Unknown
Reporter: Robert Stam Assignee: Robert Stam
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CSHARP-4495 Add conventions and attributes to con... Backlog
related to CSHARP-4534 Consider adding anonymous types to De... Closed
Backwards Compatibility: Minor Change

 Description   
CVE-2022-48282

Title:

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

CVE ID:

CVE-2022-48282

Description:
Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0
CVSS Score:

This issue's CVSS:3.1 severity is scored at 6.6 using the following scoring metrics:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

All Affected Product Versions:

All MongoDB .NET/C# Driver versions prior to and including v2.18.0

CWE:

CWE - 502 : Deserialization of Untrusted Data

Is a Fixed Version Available?:

MongoDB .NET/C# Driver v2.19.0

How was the Issue Found? (Internally/Externally):

Externally

Internal Jira Reference:

CSHARP-4475

Required Configuration for Exposure (Optional):
Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND
Application must be running on a Windows host using the full .NET Framework, not .NET Core AND
Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND
Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.
Credits  Jonathan Birch of Microsoft Office Security



 Comments   
Comment by Githook User [ 21/Feb/23 ]

Author:

{'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}

Message: CSHARP-4475: Added mention of CVE-2022-48282 to the release notes.
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/754b7464d9395d04e10620fb763c450baac21dea

Comment by Githook User [ 26/Jan/23 ]

Author:

{'name': 'rstam', 'email': 'robert@robertstam.org', 'username': 'rstam'}

Message: CSHARP-4475: Add an AllowedTypes filter to ObjectSerializer.
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/790f1233b360b1638fdec17c73a2cb67710b488e

Generated at Wed Feb 07 21:48:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.