CVE-2024-6376 HIGH

CVE-2024-6376: ejson shell parser in MongoDB Compass maybe bypassed

Vendor Mongodb Inc
Product MongoDB Compass
Weakness CWE-20 · Input validation
Published July 1, 2024
Last update August 1, 2024

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

Key dates

02Disclosure timeline

July 1, 2024 CVE published
August 1, 2024 Record updated