CVE-2024-6376 — Improper Input Validation in INC Mongodb Compass

CWE-20 — Improper Input Validation CWE-94 — Code Injection5 documents5 sources

Severity

9.8CRITICALNVD

CNA7.0

EPSS

0.5%

top 33.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Compass Mongodb Compass Mongodb-js Connection-form

Timeline

PublishedJul 1

Description

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDmongodb/compass< 1.42.2

▶CVEListV5mongodb_inc/mongodb_compass< 1.42.2

▶npmmongodb-js/connection-form< 1.20.1

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

CVEList

ejson shell parser in MongoDB Compass maybe bypassed↗2024-07-01

▶

OSV

ejson shell parser in MongoDB Compass maybe bypassed↗2024-07-01

▶

GHSA

ejson shell parser in MongoDB Compass maybe bypassed↗2024-07-01

▶