When my IT org is running a security scan on the pymongo python module, it is picking up the BSON module file as having vulnerability. See details below:
CWE Description: There is a potential buffer overflow with these functions. If an attacker can control the data written into the buffer, the overflow may result in execution of arbitrary code.
Function Name: int buffer_write(buffer_t, const char *, int)
Info: This call to memcpy() contains a potential buffer overflow. The specified size of 18446744073709551615 bytes is larger than the space allocated to the destination buffer ((tainted) bytes). If an attacker can control the data written into the buffer, the overflow may result in execution of arbitrary code. Ensure that the specified size is within the bounds of the allocated space. References: CWE (https://cwe.mitre.org/data/definitions/121.html) OWASP (https://www.owasp.org/index.php/Buffer_Overflow) WASC (https://webappsec.pbworks.com/Buffer-Overflow)
Function Name: int buffer_write_at_position(buffer_t, int, const char *, int)
This call to memcpy() contains a buffer overflow. The dest buffer variable has a size of (unavailable) bytes, but the length specified is 18446744073709551615 bytes. If an attacker can control the data written into the buffer, the overflow may result in execution of arbitrary code. Ensure that the size of the dest buffer corresponds to the length specified in the function call. References: CWE (https://cwe.mitre.org/data/definitions/121.html) OWASP (https://www.owasp.org/index.php/Buffer_Overflow) WASC (https://webappsec.pbworks.com/Buffer-Overflow)
Please advise if this can be resolved.
- is related to
-
PYTHON-2260 Compile warning "_POSIX_C_SOURCE" redefined on RHEL 7.0 with Python 2.7.5
-
- Closed
-