CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48282 – Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution
https://notcve.org/view.php?id=CVE-2022-48282
21 Feb 2023 — Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validati... • https://github.com/mongodb/mongo-csharp-driver/releases/tag/v2.19.0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20331 – MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20331
13 May 2021 — Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables ... • https://jira.mongodb.org/browse/CSHARP-3521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •