ejson shell parser in MongoDB Compass maybe bypassed

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 1.42.2
    • Affects Version/s: None
    • Component/s: None
    • None
    • Environment:
      OS: macOS 13.4.1
      node.js / npm versions:
      Additional info:
      Compass download here: https://www.mongodb.com/try/download/compass
    • Iteration Pterodactyl, Iteration Qantassaurus
    • Not Needed
    • None

      CVE Jira: CVE-89

       

      CVE ID: 

      CVE-2024-6376

      Title:
      ejson shell parser in MongoDB Compass maybe bypassed

      Description:
      MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

      CVSS Score:
      7.0 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

       

      List all affected product versions:
      MongoDB Compass versions prior to version 1.42.2

      CWE:

      CWE-20: Improper Input Validation

      Is a fixed version available:
      Yes

              Assignee:
              Rhys Howell
              Reporter:
              Karman Liu (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: