4.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-5629

GHSA ID

GHSA-m87m-mmvp-v9qm

EPSS Score

0.21759%

CWE

CWE-125

Published

6/5/2024

Updated

6/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5629

CVE-2024-5629: PyMongo Out-of-bounds Read in the bson module

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-5629

CVE-2024-5629:

4.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-5629

GHSA ID

GHSA-m87m-mmvp-v9qm

EPSS Score

0.21759%

CWE

CWE-125

Published

6/5/2024

Updated

6/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pymongo	pip	< 4.6.3	4.6.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided commit directly patches the get_value function in bson/_cbsonmodule.c. The changes involve adding stricter and more comprehensive size checks for code_size and scope_size when parsing BSON elements of type _BINARY_JAVASCRIPT_WITH_SCOPE. The vulnerability description states that a crafted payload could force the parser to deserialize unmanaged memory due to an out-of-bounds read. The patch addresses this by ensuring that the declared sizes for the JavaScript code and its scope, along with other metadata, do not exceed the available buffer (max) and are internally consistent (e.g., len < code_size or len < scope_size checks for overflow). The get_value function is where this parsing and validation occurs, making it the direct site of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-5629: PyMongo Out-of-bounds Read in the bson module

CVE-2024-5629:

4.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-5629: PyMongo Out-of-bounds Read in the bson module

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.7

4.7

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI