{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2.19.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "3db6a367ebbbabb164e24c0e74eb061b49c9e855" } ], "repo": "https://github.com/mongodb/mongo-csharp-driver", "type": "GIT" } ] } ], "details": "Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0\n\nFollowing configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND\n * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND\n * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND\n * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator.\"Following configuration must be true for the vulnerability to be applicable\n\n\n\n", "id": "CVE-2022-48282", "modified": "2026-03-15T13:45:44.035447027Z", "published": "2023-02-21T19:15:10.827Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/mongodb/mongo-csharp-driver/releases/tag/v2.19.0" }, { "type": "ADVISORY", "url": "https://security.netapp.com/advisory/ntap-20230324-0003/" }, { "type": "FIX", "url": "https://jira.mongodb.org/browse/CSHARP-4475" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }