ejson shell parser in MongoDB Compass maybe bypassed

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 1.42.2
    • Affects Version/s: None
    • Component/s: None
    • None
    • Environment:
      OS: macOS 13.4.1
      node.js / npm versions:
      Additional info:
      Compass download here: https://www.mongodb.com/try/download/compass
    • Iteration Pterodactyl, Iteration Qantassaurus
    • Not Needed
    • None

      CVE Jira: CVE-89

       

      CVE ID: 

      CVE-2024-6376

      Title:
      ejson shell parser in MongoDB Compass maybe bypassed

      Description:
      MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

      CVSS Score:
      7.0 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

       

      List all affected product versions:
      MongoDB Compass versions prior to version 1.42.2

      CWE:

      CWE-20: Improper Input Validation

      Is a fixed version available:
      Yes

            Assignee:
            Rhys Howell
            Reporter:
            Karman Liu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: