GHSA-m87m-mmvp-v9qm

Suggest an improvement
Source
https://github.com/advisories/GHSA-m87m-mmvp-v9qm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-m87m-mmvp-v9qm/GHSA-m87m-mmvp-v9qm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m87m-mmvp-v9qm
Aliases
Related
Published
2024-06-05T15:30:39Z
Modified
2024-06-25T02:34:13.061847Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L CVSS Calculator
Summary
PyMongo Out-of-bounds Read in the bson module
Details

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

References

Affected packages

PyPI / pymongo

Package

Name
pymongo
View open source insights on deps.dev
Purl
pkg:pypi/pymongo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.6.3

Affected versions

0.*

0.1pre
0.1.1pre
0.1.2pre
0.2pre
0.3pre
0.3.1pre
0.4pre
0.5pre
0.5.1pre
0.5.2pre
0.5.3pre
0.6
0.7
0.7.1
0.7.2
0.8
0.8.1
0.9
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.10
0.10.1
0.10.2
0.10.3
0.11
0.11.1
0.11.2
0.11.3
0.12
0.13
0.14
0.14.1
0.14.2
0.15
0.15.1
0.15.2
0.16

1.*

1.0
1.1
1.1.1
1.1.2
1.2
1.2.1
1.3
1.4
1.5
1.5.1
1.5.2
1.6
1.7
1.8
1.8.1
1.9
1.10
1.10.1
1.11

2.*

2.0
2.0.1
2.1
2.1.1
2.2
2.2.1
2.3
2.4
2.4.1
2.4.2
2.5
2.5.1
2.5.2
2.6
2.6.1
2.6.2
2.6.3
2.7
2.7.1
2.7.2
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5

3.*

3.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0
3.7.1
3.7.2
3.8.0
3.9.0
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0

4.*

4.0
4.0.1
4.0.2
4.1.0
4.1.1
4.2.0
4.3.2
4.3.3
4.4.0b0
4.4.0
4.4.1
4.5.0
4.6.0
4.6.1
4.6.2