Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-48282: Release NET Driver Version 2.19.0 Release Notes · mongodb/mongo-csharp-driver

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0

CVE
#aws#mongo#jira

.NET Driver Version 2.19.0 Release Notes

This is the general availability release for the 2.19.0 version of the driver.

The main new features in 2.19.0 include:

  • Atlas Search builders
  • Default LinqProvider changed to LINQ3
  • ObjectSerializer allowed types configuration
  • Bucket and BucketAuto stages support in LINQ3
  • Support Azure VM-assigned Managed Identity for Automatic KMS Credentials
  • Native support for AWS IAM Roles

This version addresses CVE-2022-48282.

ObjectSerializer allowed types configuration

The ObjectSerializer has been changed to only allow deserialization of types that are considered safe.
What types are considered safe is determined by a new configurable AllowedTypes function (of type Func<Type, bool>).
The default AllowedTypes function is ObjectSerializer.DefaultAllowedTypes which returns true for a number of well-known framework types that we have deemed safe.
A typical example might be to allow all the default allowed types as well as your own types. This could be accomplished as follows:

var objectSerializer = new ObjectSerializer(type => ObjectSerializer.DefaultAllowedTypes(type) || type.FullName.StartsWith("MyNamespace"));
BsonSerializer.RegisterSerializer(objectSerializer);

More information about the ObjectSerializer is available in our FAQ.

Default LinqProvider changed to LINQ3

Default LinqProvider has been changed to LINQ3.
LinqProvider can be changed back to LINQ2 in the following way:

var connectionString = "mongodb://localhost";
var clientSettings = MongoClientSettings.FromConnectionString(connectionString);
clientSettings.LinqProvider = LinqProvider.V2;
var client = new MongoClient(clientSettings);

If you encounter a bug in LINQ3 provider, please report it in CSHARP JIRA project.

An online version of these release notes is available here.

The full list of issues resolved in this release is available at CSHARP JIRA project.

Documentation on the .NET driver can be found here.

Related news

CVE-2022-48282: System Dashboard - MongoDB Jira

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907