CVE-2022-48282

Name of the Vulnerable Software and Affected Versions MongoDB .NET/C# Driver versions prior to and including v2.18.0

Description Under very specific circumstances, a privileged user is able to cause arbitrary code to be executed, which may cause further disruption to services. This issue is specific to applications written in C#. The vulnerability requires certain conditions to be met, including the application being written in C#, running on a Windows host using the full .NET Framework, having a domain model class with a property or field of type System.Object, and the malicious attacker having unrestricted insert access to the target database.

Recommendations For MongoDB .NET/C# Driver versions prior to and including v2.18.0, update to a version later than v2.18.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable application and ensuring that all user input is properly validated to minimize the risk of exploitation. Avoid using the System.Object type in domain model classes and ensure that all data serialization is properly validated. Restrict insert access to the target database to prevent malicious attackers from adding a t discriminator.