Moderate severityNVD Advisory· Published Jun 5, 2024· Updated Feb 13, 2025
Out-of-bounds read in bson module of PyMongo
CVE-2024-5629
Description
An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pymongoPyPI | < 4.6.3 | 4.6.3 |
Affected products
26- MongoDB Inc/PyMongov5cpe:2.3:a:mongodb:python_driver:0.4:pre:*:*:*:mongodb:*:*Range: 0
- osv-coords25 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:pypi/pymongopkg:rpm/almalinux/python36pkg:rpm/almalinux/python36-debugpkg:rpm/almalinux/python36-develpkg:rpm/almalinux/python36-rpm-macrospkg:rpm/almalinux/python3-bsonpkg:rpm/almalinux/python3-distropkg:rpm/almalinux/python3-docspkg:rpm/almalinux/python3-docutilspkg:rpm/almalinux/python3-nosepkg:rpm/almalinux/python3-pygmentspkg:rpm/almalinux/python3-pymongopkg:rpm/almalinux/python3-pymongo-gridfspkg:rpm/almalinux/python3-PyMySQLpkg:rpm/almalinux/python3-scipypkg:rpm/almalinux/python3-sqlalchemypkg:rpm/almalinux/python3-virtualenvpkg:rpm/almalinux/python3-wheelpkg:rpm/almalinux/python3-wheel-wheelpkg:rpm/almalinux/python-nose-docspkg:rpm/almalinux/python-pymongo-docpkg:rpm/almalinux/python-sqlalchemy-docpkg:rpm/almalinux/python-virtualenv-doc
< 2.2.0-r0+ 24 more
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 4.6.3
- (no CPE)range: < 3.6.8-39.module_el8.10.0+3769+3838165b
- (no CPE)range: < 3.6.8-39.module_el8.10.0+3769+3838165b
- (no CPE)range: < 3.6.8-39.module_el8.10.0+3769+3838165b
- (no CPE)range: < 3.6.8-39.module_el8.10.0+3769+3838165b
- (no CPE)range: < 3.7.0-2.module_el8.10.0+3998+2cf36268
- (no CPE)range: < 1.4.0-2.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 3.6.7-2.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 0.14-12.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 1.3.7-31.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 2.2.0-22.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 3.7.0-2.module_el8.10.0+3998+2cf36268
- (no CPE)range: < 3.7.0-2.module_el8.10.0+3998+2cf36268
- (no CPE)range: < 0.10.1-2.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 1.0.0-21.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 1.3.2-3.module_el8.10.0+3769+3838165b
- (no CPE)range: < 15.1.0-23.module_el8.10.0+3937+b6a3652f
- (no CPE)range: < 1:0.31.1-3.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 1:0.31.1-3.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 1.3.7-31.module_el8.9.0+3700+efebe9fd
- (no CPE)range: < 3.7.0-2.module_el8.10.0+3998+2cf36268
- (no CPE)range: < 1.3.2-3.module_el8.10.0+3769+3838165b
- (no CPE)range: < 15.1.0-23.module_el8.10.0+3937+b6a3652f
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-m87m-mmvp-v9qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-5629ghsaADVISORY
- gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03ghsaWEB
- github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2ghsaWEB
- jira.mongodb.org/browse/PYTHON-4305ghsarelease-notesWEB
- lists.debian.org/debian-lts-announce/2024/06/msg00007.htmlghsaWEB
- security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597ghsaWEB
News mentions
0No linked articles in our index yet.