Lucene search

[email protected]NVD:CVE-2024-6376

HistoryJul 01, 2024 - 3:15 p.m.

CVE-2024-6376

2024-07-0115:15:17

CWE-20

CWE-94

[email protected]

web.nvd.nist.gov

mongodb

code injection

sandbox protection

ejson shell parser

compass

connection handling

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.3%

JSON

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

Affected configurations

Nvd

Node

mongodbcompassRange<1.42.2

VendorProductVersionCPE
mongodbcompass*cpe:2.3:a:mongodb:compass:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mongodb	compass	*	cpe:2.3:a:mongodb:compass::::::::

References

jira.mongodb.org/browse/COMPASS-7496

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.3%

JSON

Related for NVD:CVE-2024-6376

cve1 cvelist1 vulnrichment1 mongodb1