CVE-2024-21506

Published: 6 April 2024

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

Priority

Status

Package	Release	Status
pymongo Launchpad, Ubuntu, Debian	bionic	Needed
	focal	Needed
	jammy	Needed
	mantic	Needed
	noble	Released
	trusty	Needed
	upstream	Released (4.7.0)
	xenial	Needed
	Patches: upstream: https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2

References

https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597
https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03
https://www.cve.org/CVERecord?id=CVE-2024-21506
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.