PT-2024-18921 · Pypi+1 · Pymongo+1

Published

2024-04-05

Updated

2024-06-13

CVE-2024-21506

CVSS v3.1

5.2

Medium

Vector

AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions pymongo versions prior to 4.6.3

Description The issue concerns an Out-of-bounds Read in the bson module. An attacker could use a crafted payload to force the parser to deserialize unmanaged memory. The parser attempts to interpret bytes next to the buffer and throws an exception with a string. If the following bytes are not printable UTF-8, the parser throws an exception with a single byte.

Recommendations For versions prior to 4.6.3, update to version 4.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the bson module until a patch is applied. Avoid using crafted payloads that could force the parser to deserialize unmanaged memory.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2024-21506

GHSA-CR6F-GF5W-VHRC

MGASA-2024-0187

OESA-2024-1388

OPENSUSE-SU-2024_1571-1

OPENSUSE-SU-2024_1571-2

SUSE-SU-2024:1571-1

SUSE-SU-2024:1571-2

Affected Products

Suse

Pymongo

PT-2024-18921 · Pypi+1 · Pymongo+1

CVE-2024-21506

Weakness Enumeration

Related Identifiers

Affected Products

References · 26