CVE-2024-5629 - OpenCVE

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Mongodb	Pymongo

Configuration 1 [-]

cpe:2.3:a:mongodb:pymongo:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://jira.mongodb.org/browse/PYTHON-4305	Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mongodb

Published: 2024-06-05T14:32:56.435Z

Updated: 2024-06-05T14:32:56.435Z

Reserved: 2024-06-04T13:49:31.496Z

Link: CVE-2024-5629

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-05T15:15:12.737

Modified: 2024-06-18T18:31:05.663

Link: CVE-2024-5629

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5629", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2024-06-04T13:49:31.496Z", "datePublished": "2024-06-05T14:32:56.435Z", "dateUpdated": "2024-06-05T14:32:56.435Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:mongodb:python_driver:0.4:pre:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.5:pre:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.5.1:pre:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.5.2:pre:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.5.3:pre:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.6:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.7:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.7.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.7.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.8:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.8.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9.4:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.9.5:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.10.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.10.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.10.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.11:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.11.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.11.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.11.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.12:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.13:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.14:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.14.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.14.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.15:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.15.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.15.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:0.16:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.1.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.1.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.2.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.4:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.5:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.5.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.5.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.6:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.7:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.8:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.8.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.9:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.10.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:1.11:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.0.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.1.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.2:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.2:rc1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.2.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.3:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.3:rc1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.4:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.4.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.4.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.5:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.5.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.5.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.6:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.6.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.6.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.6.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.7:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.7:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.7:rc1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.7.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.7.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.8:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.8:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.8:rc1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.8:rc2:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.8.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9.4:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:2.9.5:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3:b1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3:rc1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.0.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.0.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.0.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.1:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.1:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.1.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.2:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.2:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.2.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.2.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.3.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.3.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.4:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.4.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.5.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.5.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.6:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.6.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.6.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.7.0:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.7.0:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.7.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.7.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.8.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.9.0:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.9.0:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.9.0:b1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.10.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.10.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.0:-:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.0:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.0:b1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.0:rc0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.11.4:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.12.0:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.12.0:b1:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.12.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.12.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.12.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:3.13.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.0.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.0.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.0.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.1.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.1.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.2.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.3.2:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.3.3:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.4.0:b0:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.4.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.4.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.5.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.6.0:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.6.1:*:*:*:*:mongodb:*:*", "cpe:2.3:a:mongodb:python_driver:4.6.2:*:*:*:*:mongodb:*:*"], "defaultStatus": "unaffected", "product": "PyMongo", "vendor": "MongoDB Inc", "versions": [{"lessThanOrEqual": "4.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2024-06-05T14:32:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.</span></span><br>"}], "value": "An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-06-05T14:32:56.435Z"}, "references": [{"tags": ["release-notes"], "url": "https://jira.mongodb.org/browse/PYTHON-4305"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Out-of-bounds read in bson module of PyMongo", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T20:52:39.427569Z", "id": "CVE-2024-5629", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T20:52:59.238Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:pymongo:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AB51ADC-4E52-4BBA-BD71-B402D3021CCD", "versionEndExcluding": "4.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory."}, {"lang": "es", "value": "Una lectura fuera de los l\u00edmites en el m\u00f3dulo 'bson' de PyMongo 4.6.2 o anterior permite la deserializaci\u00f3n de BSON mal formado proporcionado por un servidor para generar una excepci\u00f3n que puede contener memoria de aplicaci\u00f3n arbitraria."}], "id": "CVE-2024-5629", "lastModified": "2024-06-18T18:31:05.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2024-06-05T15:15:12.737", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://jira.mongodb.org/browse/PYTHON-4305"}, {"source": "cna@mongodb.com", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "cna@mongodb.com", "type": "Secondary"}]}