Miggo Logo
Miggo Vulnerability Database
CVE-2022-48282

CVE-2022-48282:
MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-48282
GHSA ID
GHSA-7j9m-j397-g4wx
EPSS Score
0.58284%
CWE
CWE-502
Published
2/21/2023
Updated
3/3/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
MongoDB.Drivernuget< 2.19.02.19.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure deserialization in the ObjectSerializer class. The patch notes specifically mention hardening ObjectSerializer by introducing an AllowedTypes configuration to restrict deserialization targets. The CWE-502 classification and MongoDB's own advisory both point to deserialization of attacker-controlled type discriminators (_t) as the attack vector. The ObjectSerializer.Deserialize method would be the primary entry point for this vulnerability as it handles polymorphic deserialization based on these discriminators.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un**r v*ry sp**i*i* *ir*umst*n**s, * privil**** us*r is **l* to **us* *r*itr*ry *o** to ** *x**ut** w*i** m*y **us* *urt**r *isruption to s*rvi**s. T*is is sp**i*i* to *ppli**tions writt*n in *#. T*is *****ts *ll Mon*o** .N*T/*# *riv*r v*rsions prior

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* **s*ri*liz*tion in t** `O*j**tS*ri*liz*r` *l*ss. T** p*t** not*s sp**i*i**lly m*ntion **r**nin* `O*j**tS*ri*liz*r` *y intro*u*in* *n `*llow**Typ*s` *on*i*ur*tion to r*stri*t **s*ri*liz*tion t*r**ts. T** *W*-*** *