CVE-2015-4412 - OpenCVE

BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Bson Project	Bson

Configuration 1 [-]

cpe:2.3:a:bson_project:bson:3.0.3:*:*:*:*:ruby:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/06/06/3	Mailing List
http://www.securityfocus.com/bid/75045	VDB Entry Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1229750	Issue Tracking Third Party Advisory
https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999	Third Party Advisory
https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7	Issue Tracking Patch Third Party Advisory
https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-05T16:00:00

Updated: 2018-02-05T15:57:02

Reserved: 2015-06-06T00:00:00

Link: CVE-2015-4412

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-05T16:29:00.410

Modified: 2018-03-13T19:49:42.773

Link: CVE-2015-4412

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-04T00:00:00", "descriptions": [{"lang": "en", "value": "BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-05T15:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "75045", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75045"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7"}, {"tags": ["x_refsource_MISC"], "url": "https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1229750"}, {"name": "[oss-security] 20150606 Re: CVE Request: bson-ruby DoS and possible injection", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/06/06/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4412", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "75045", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75045"}, {"name": "https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999", "refsource": "CONFIRM", "url": "https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999"}, {"name": "https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7", "refsource": "CONFIRM", "url": "https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7"}, {"name": "https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html", "refsource": "MISC", "url": "https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1229750", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1229750"}, {"name": "[oss-security] 20150606 Re: CVE Request: bson-ruby DoS and possible injection", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/06/06/3"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4412", "datePublished": "2018-02-05T16:00:00", "dateReserved": "2015-06-06T00:00:00", "dateUpdated": "2018-02-05T15:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bson_project:bson:3.0.3:*:*:*:*:ruby:*:*", "matchCriteriaId": "10146522-3ED4-4414-8A7E-A9E47FD673B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n BSON en la funci\u00f3n legal? en la gema BSON (bson-ruby) en su versi\u00f3n 3.0.4 para Ruby permite que los atacantes remotos provoquen una denegaci\u00f3n de servicio (consumo de recursos) o inyecten datos arbitrarios mediante una cadena manipulada."}], "id": "CVE-2015-4412", "lastModified": "2018-03-13T19:49:42.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-05T16:29:00.410", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2015/06/06/3"}, {"source": "cve@mitre.org", "tags": ["VDB Entry", "Third Party Advisory"], "url": "http://www.securityfocus.com/bid/75045"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1229750"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}