Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7496

ejson shell parser in MongoDB Compass maybe bypassed

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.42.2
    • Affects Version/s: None
    • Component/s: None
    • None
    • Environment:
      OS: macOS 13.4.1
      node.js / npm versions:
      Additional info:
      Compass download here: https://www.mongodb.com/try/download/compass
    • Iteration Pterodactyl, Iteration Qantassaurus
    • Not Needed

      CVE Jira: CVE-89

       

      CVE ID: 

      CVE-2024-6376

      Title:
      ejson shell parser in MongoDB Compass maybe bypassed

      Description:
      MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

      CVSS Score:
      7.0 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

       

      List all affected product versions:
      MongoDB Compass versions prior to version 1.42.2

      CWE:

      CWE-20: Improper Input Validation

      Is a fixed version available:
      Yes

            Assignee:
            rhys.howell@mongodb.com Rhys Howell
            Reporter:
            karman.liu@mongodb.com Karman Liu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: