GHSA-jxr4-4prv-mh83

Suggest an improvement
Source
https://github.com/advisories/GHSA-jxr4-4prv-mh83
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-jxr4-4prv-mh83/GHSA-jxr4-4prv-mh83.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jxr4-4prv-mh83
Aliases
  • CVE-2024-6376
Published
2024-07-01T15:32:47Z
Modified
2025-02-27T21:12:20.202391Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ejson shell parser in MongoDB Compass maybe bypassed
Details

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.

Database specific 
{
    "github_reviewed_at": "2025-02-27T20:59:11Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2024-07-01T15:15:17Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-94"
    ]
}
References

Affected packages

npm / @mongodb-js/connection-form

Package

Name
@mongodb-js/connection-form
View open source insights on deps.dev
Purl
pkg:npm/%40mongodb-js/connection-form

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-jxr4-4prv-mh83/GHSA-jxr4-4prv-mh83.json"