CVE-2022-48282: 
C# vulnerability analysis and mitigation

A vulnerability (CVE-2022-48282) was discovered in MongoDB .NET/C# Driver versions prior to and including v2.18.0. The vulnerability allows privileged users to execute arbitrary code under specific circumstances, potentially causing service disruptions. The issue was discovered externally and was disclosed on February 21, 2023 (MongoDB JIRA, NVD).

The vulnerability is related to deserialization of untrusted data (CWE-502) and has a CVSS v3.1 base score of 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects applications written in C# that handle arbitrary data serialization using _t without proper validation (NVD).

Successful exploitation of this vulnerability could lead to arbitrary code execution, potentially causing service disruptions, disclosure of sensitive information, and modification of data. The impact is particularly severe for applications running on Windows hosts using the full .NET Framework (MongoDB JIRA).

The vulnerability has been fixed in MongoDB .NET/C# Driver version 2.19.0. The fix includes the implementation of an ObjectSerializer with AllowedTypes configuration to control which types can be deserialized. Users can upgrade to version 2.19.0 or later to address this vulnerability (MongoDB Release).