Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-M87M-MMVP-V9QM
Vulnerability from github – Published: 2024-06-05 15:30 – Updated: 2024-06-18 19:15Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pymongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-5629"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-05T17:10:59Z",
"nvd_published_at": "2024-06-05T15:15:12Z",
"severity": "MODERATE"
},
"details": "Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.",
"id": "GHSA-m87m-mmvp-v9qm",
"modified": "2024-06-18T19:15:23Z",
"published": "2024-06-05T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5629"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2"
},
{
"type": "WEB",
"url": "https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb/mongo-python-driver"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/PYTHON-4305"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "PyMongo Out-of-bounds Read in the bson module "
}
CVE-2024-5629 (GCVE-0-2024-5629)
Vulnerability from cvelistv5 – Published: 2024-06-05 14:32 – Updated: 2025-02-13 17:54- CWE-125 - Out-of-bounds Read
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB Inc | PyMongo |
Affected:
0 , ≤ 4.6.2
(custom)
cpe:2.3:a:mongodb:python_driver:0.4:pre:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.5:pre:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.5.1:pre:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.5.2:pre:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.5.3:pre:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.7.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.7.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.9.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.10.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.10.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.10.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.11.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.11.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.11.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.12:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.13:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.14:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.14.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.14.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.15:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.15.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.15.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:0.16:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.1.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.5.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.7:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.8:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.9:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.10.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:1.11:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.2:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.2:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.3:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.3:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.4.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.4.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.5.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.6:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.6.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.6.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.7:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.7:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.7:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.7.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.7.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.8:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.8:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.8:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.8:rc2:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.8.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:2.9.5:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3:b1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3:rc1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.0.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.1:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.1:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.2:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.2:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.2.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.2.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.3.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.3.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.4:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.4.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.5.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.5.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.6:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.6.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.7.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.7.0:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.7.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.7.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.8.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.9.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.9.0:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.9.0:b1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.10.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.10.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.0:-:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.0:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.0:b1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.0:rc0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.11.4:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.12.0:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.12.0:b1:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.12.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.12.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.12.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:3.13.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.0.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.0.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.0.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.1.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.1.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.2.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.3.2:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.3.3:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.4.0:b0:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.4.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.4.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.5.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.6.0:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.6.1:*:*:*:*:mongodb:*:* cpe:2.3:a:mongodb:python_driver:4.6.2:*:*:*:*:mongodb:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T20:52:39.427569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T20:52:59.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-16T23:02:28.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://jira.mongodb.org/browse/PYTHON-4305"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00032.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mongodb:python_driver:0.4:pre:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.5:pre:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.5.1:pre:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.5.2:pre:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.5.3:pre:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.7.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.7.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.9.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.10.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.10.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.10.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.11.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.11.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.11.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.12:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.13:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.14:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.14.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.14.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.15:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.15.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.15.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:0.16:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.1.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.5.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.7:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.8:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.9:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.10.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:1.11:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.2:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.2:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.3:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.3:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.4.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.4.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.5.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.6:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.6.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.6.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.7:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.7:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.7:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.7.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.7.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.8:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.8:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.8:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.8:rc2:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.8.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:2.9.5:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3:b1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3:rc1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.0.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.1:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.1:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.2:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.2:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.2.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.2.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.3.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.3.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.4:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.4.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.5.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.5.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.6:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.6.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.7.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.7.0:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.7.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.7.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.8.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.9.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.9.0:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.9.0:b1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.10.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.10.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.0:-:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.0:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.0:b1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.0:rc0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.11.4:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.12.0:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.12.0:b1:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.12.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.12.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.12.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:3.13.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.0.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.0.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.0.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.1.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.1.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.2.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.3.2:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.3.3:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.4.0:b0:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.4.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.4.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.5.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.6.0:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.6.1:*:*:*:*:mongodb:*:*",
"cpe:2.3:a:mongodb:python_driver:4.6.2:*:*:*:*:mongodb:*:*"
],
"defaultStatus": "unaffected",
"product": "PyMongo",
"vendor": "MongoDB Inc",
"versions": [
{
"lessThanOrEqual": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-06-05T14:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn out-of-bounds read in the \u0027bson\u0027 module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An out-of-bounds read in the \u0027bson\u0027 module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T13:05:51.315Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://jira.mongodb.org/browse/PYTHON-4305"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Out-of-bounds read in bson module of PyMongo",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2024-5629",
"datePublished": "2024-06-05T14:32:56.435Z",
"dateReserved": "2024-06-04T13:49:31.496Z",
"dateUpdated": "2025-02-13T17:54:22.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
PYSEC-2026-1826
Vulnerability from pysec - Published: 2026-07-07 11:45 - Updated: 2026-07-07 17:25Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.
| Name | purl | pymongo | pkg:pypi/pymongo |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pymongo",
"purl": "pkg:pypi/pymongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.1pre",
"0.1.2pre",
"0.10",
"0.10.1",
"0.10.2",
"0.10.3",
"0.11",
"0.11.1",
"0.11.2",
"0.11.3",
"0.12",
"0.13",
"0.14",
"0.14.1",
"0.14.2",
"0.15",
"0.15.1",
"0.15.2",
"0.16",
"0.1pre",
"0.2pre",
"0.3.1pre",
"0.3pre",
"0.4pre",
"0.5.1pre",
"0.5.2pre",
"0.5.3pre",
"0.5pre",
"0.6",
"0.7",
"0.7.1",
"0.7.2",
"0.8",
"0.8.1",
"0.9",
"0.9.1",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"1.0",
"1.1",
"1.1.1",
"1.1.2",
"1.10",
"1.10.1",
"1.11",
"1.2",
"1.2.1",
"1.3",
"1.4",
"1.5",
"1.5.1",
"1.5.2",
"1.6",
"1.7",
"1.8",
"1.8.1",
"1.9",
"2.0",
"2.0.1",
"2.1",
"2.1.1",
"2.2",
"2.2.1",
"2.3",
"2.4",
"2.4.1",
"2.4.2",
"2.5",
"2.5.1",
"2.5.2",
"2.6",
"2.6.1",
"2.6.2",
"2.6.3",
"2.7",
"2.7.1",
"2.7.2",
"2.8",
"2.8.1",
"2.9",
"2.9.1",
"2.9.2",
"2.9.3",
"2.9.4",
"2.9.5",
"3.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.1",
"3.1.1",
"3.10.0",
"3.10.1",
"3.11.0",
"3.11.1",
"3.11.2",
"3.11.3",
"3.11.4",
"3.12.0",
"3.12.1",
"3.12.2",
"3.12.3",
"3.13.0",
"3.2",
"3.2.1",
"3.2.2",
"3.3.0",
"3.3.1",
"3.4.0",
"3.5.0",
"3.5.1",
"3.6.0",
"3.6.1",
"3.7.0",
"3.7.1",
"3.7.2",
"3.8.0",
"3.9.0",
"4.0",
"4.0.1",
"4.0.2",
"4.1.0",
"4.1.1",
"4.2.0",
"4.3.2",
"4.3.3",
"4.4.0",
"4.4.0b0",
"4.4.1",
"4.5.0",
"4.6.0",
"4.6.1",
"4.6.2"
]
}
],
"aliases": [
"CVE-2024-5629",
"GHSA-m87m-mmvp-v9qm"
],
"details": "Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.",
"id": "PYSEC-2026-1826",
"modified": "2026-07-07T17:25:12.562753Z",
"published": "2026-07-07T11:45:45.680005Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5629"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2"
},
{
"type": "WEB",
"url": "https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb/mongo-python-driver"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/PYTHON-4305"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/pymongo"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m87m-mmvp-v9qm"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "PyMongo Out-of-bounds Read in the bson module "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.