Lucene search

K

GitHub Advisory DatabaseGHSA-M87M-MMVP-V9QM

HistoryJun 05, 2024 - 3:30 p.m.

PyMongo Out-of-bounds Read in the bson module

2024-06-0515:30:39

CWE-125

GitHub Advisory Database

github.com

3

pymongo

out-of-bounds read

bson module

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

Affected configurations

Vulners

Node

mongodbpymongoRange<4.6.3

CPENameOperatorVersion
pymongolt4.6.3

References

gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03

github.com/advisories/GHSA-m87m-mmvp-v9qm

github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2

jira.mongodb.org/browse/PYTHON-4305

lists.debian.org/debian-lts-announce/2024/06/msg00007.html

nvd.nist.gov/vuln/detail/CVE-2024-5629

security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

Related for GHSA-M87M-MMVP-V9QM

mongodb1 cve2 debiancve1 nvd2 ubuntucve1 osv3 redos1 cvelist1 veracode1 wolfi1 nessus1 redhatcve1 vulnrichment1 github1