CVE-2024-6376

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://jira.mongodb.org/browse/COMPASS-7496	Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mongodb:compass:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-01 15:15

Updated : 2024-07-03 15:04

NVD link : CVE-2024-6376

Mitre link : CVE-2024-6376

CVE.ORG link : CVE-2024-6376

JSON object : View

Products Affected

mongodb

compass

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-20

Improper Input Validation

{"id": "CVE-2024-6376", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@mongodb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2024-07-01T15:15:17.673", "references": [{"url": "https://jira.mongodb.org/browse/COMPASS-7496", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cna@mongodb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "cna@mongodb.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2"}, {"lang": "es", "value": "MongoDB Compass puede ser susceptible a la inyecci\u00f3n de c\u00f3digo debido a una configuraci\u00f3n insuficiente de protecci\u00f3n de la zona de pruebas con el uso del analizador de shell ejson en el manejo de conexiones de Compass. Este problema afecta a las versiones de MongoDB Compass anteriores a la versi\u00f3n 1.42.2"}], "lastModified": "2024-07-03T15:04:52.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:compass:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C0CC548-DDB4-4527-AEBC-1993B3E39EDA", "versionEndExcluding": "1.42.2"}], "operator": "OR"}]}], "sourceIdentifier": "cna@mongodb.com"}